Data Classification & Privacy Inventory Workshop

Implementing Security to Protect Privacy

November 2005

2

Welcome & Introductions

Debra Reiger, State Information Security OfficerJoanne McNabb, California Office of Privacy ProtectionLester Chan,, California Office of HIPAA Implementation

3

Workshop Agenda

Welcome & Introductions - Debra ReigerInformation Privacy & Security - Joanne McNabbIntroduction to State Policy on Data Classification - Debra ReigerBreakProtected Health Information - Lester ChanConducting a Privacy Inventory - Joanne McNabbWorkshop Exercise - Lester Chan

4

Information Privacy & Security

Privacy: Individual’s interest in controlling the handling of his/her personal informationSecurity: Organization’s interest in protecting information assets from unauthorized acquisition, damage, disclosure, manipulation, modification, loss, or useInformation security is essential to privacy protection.

5

“Personal information is like toxic waste – Managing it requires a high level of skill and training.”

-Phil Agre, Technology and Privacy in a New Landscape

6

Why Protect Personal Information

Law and Policy Information Practices Act, HIPAA Data Classification, Encryption (soon)

Risk Reduction SAM Security breach notification law (Civil Code §

1798.29) – Cost of notification $1-$25 per notice

Identity Theft > 9 Million victims and $52.6 Billion in 2004

7

Protecting Personal Information

1. Classify data and identify records systems containing personal identifying information.

2. Locate records needing special protection:

Notice-Triggering Personal Information Health Information (Protected or Electronic)

3. Protect with appropriate security measures

Administrative, Technical, Physical

State Policy on Classifying Data

Classification of Information

9

Introduction

State policy requires that we identify and classify our data and protect it appropriately.

See SAM Sections 4840-4845

Automated files and databases are essential public resources.

We are the protectors of the public’s information.

We must first classify and locate data before we can properly protect it.

10

Information Protection

Give appropriate protection from unauthorized: Use Access Disclosure Modification Loss Deletion

11

Information Classifications

Public InformationConfidential Information

12

Public Information

Information not exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws

13

Confidential Information

Information exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws

14

Sensitive & Personal Info

Sensitive and personal information may occur in public and/or confidential records.Files and databases containing sensitive and/or personal information require special precautions to prevent inappropriate disclosure.

15

Sensitive Information

Requires special precautions to protect from: Unauthorized use Access Disclosure Modification Loss Deletion

16

Sensitive Information

May be either Public, or Confidential.

Requires a higher than normal assurance of accuracy and completeness.Key factor is integrity.Typical records are agency financial transactions and regulatory actions.

17

Personal Information

Identifies or describes an individualMust be protected from inappropriate Access Use Disclosure

Must also be accessible to data subjects upon request

18

Personal Information

Identifies or describes an individual: Name Home address Home phone etc.

Sub-types of Personal Information: Notice-Triggering Personal Information Medical Information

Protected Health Information Electronic Health Information

19

Notice-Triggering Personal Info

Name plus specific items or personal information: Social Security Number Driver’s license/I.D. card number Financial Account Number

Requires notifying individuals if it is acquired by an unauthorized person.

Protected Health Information

HIPAA Covered Entities

21

Protected Health Information

Individually identifiable information created, received, or maintained by health care payers, providers, health plans or contractors, in electronic or physical form.State and federal laws require special precautions to protect from unauthorized use, access, or disclosure.

22

Electronic Health Information

Individually identifiable health information transmitted by electronic media or maintained in electronic media

23

Electronic Health Information

Health plans, clearinghouses or providers must ensure the privacy and security of electronic protected health information from unauthorized use, access or disclosure

24

Current Information

Assess current systems for protected health information in physical (paper) and electronic form.Include personal information in the data classification portion of risk analysis and risk management Risk analysis and risk management are

required of HIPAA covered entities

25

Future Data Systems

Be aware of these data classifications as more data is created, maintained or transmitted.Plan for protecting your data during the system design phase.Collect data that you have the authority and need to collect.

Conducting a Privacy Inventory

Where is your data? Where is your personal data?

27

Privacy Inventory Process

1. ISO/PO gets management support.2. Each division/program identifies “Privacy

Contact.” ISO/PO explains process to Privacy Contacts.

3. Privacy Contacts complete Privacy Inventory Worksheet.

4. ISO/PO/Program implement appropriate safeguards.

5. ISO/PO conduct ongoing privacy awareness training for users (more on this later).

28

Overview of Worksheet

Part I: Records System Inventory

Part II: Privacy Practices Inventory

29

Part I of Inventory Worksheet

Records Systems Containing Personal Information Start with Records Inventory for

Records Retention Schedule List only Records Systems containing

personal information

30

1. Records System

Group of records maintained for official purposesSame as “Records Series” in Records Retention Handbook: Group of related records under a single filing category that deal with particular subject

31

Personal Information

Information that describes an individual, including name, home address, home phone, etc. – defined in Civil Code 1798.3Information on clients, consumers, applicants, licensees, employees, contractors – everyone

32

2. Description of Records

Examples Applications for general contractor’s

license Personnel records of current employees Case records of recipients of in-home

supportive service, past and present Consumer complaints

33

3. Sources of Records

Examples: Subject supplies information on

application form Schools provide information on

transcripts. DOJ provides information from criminal

history records

34

4. Owner and Location

1. Owner: Department/Division/Program that collects and maintains the records

2. Location: Agency name and address where original records system is located

3. Contact: Name, title, business contact information of agency official responsible for records system

35

5. Authority

Citation of regulation or statute authorizing agency to collect and maintain records system

36

6. Media of Records System

1. Medium of “original” records system: electronic, paper, tape

2. Additional media on which records are stored or used:

PC Laptop Other portable device or medium

37

7. Type of Personal Information

Objective: Identify records systems containing personal information needing special protections Notice-triggering personal information

(name plus SSN, DL/State ID number, financial account number)

Health/medical information Other personal information (Home

Address, MMN, DOB, etc.)

38

Does the records system contain any confidential or sensitive information (other than personal information)? Confidential: Exempt from PRA Sensitive: For example, network

configuration, agency bank records

8. Confidential or Sensitive Info

39

9. Routine Uses & Disclosures

Purposes for which records were createdUses and usersDisclosures outside agency that collects and maintains records system

40

Part II of Inventory Worksheet

Privacy Practices Checklist of major practices per IPA,

Government Code, etc. Optional – but good way to start to

build privacy awareness

41

1. Privacy Policy Statement

Is your agency’s privacy policy statement posted in your office(s)?Is it posted on your Web site(s)? Government Code 11019.9

42

2. Rules of Conduct

Does your program/agency have written rules of conduct for handling records containing personal information? Civil Code 1798.20

If so, attach copy to Worksheet.

43

3. Access Guidelines

Does your program/agency have regulations or guidelines telling individuals how they can access their own records? Civil Code 1798.34 – 1798.44

If so, attach copy to Worksheet.

44

4. Notice on Collection

How do you provide notice (of authority, uses, disclosures, access procedures, etc.) when collecting personal information? Civil Code 1798.17 Printed on paper forms On online forms Other

45

5. Public Records Act Disclosures

Do you have written procedures for responding to PRA requests? How do you protect personal

information in public records?

If so, attach copy to Worksheet.

46

6. Retention & Destruction

Is this records system listed in your Records Retention Schedule?

47

7. Incident Notification Procedures

Does the program/division/department have written procedures for notification of privacy/security incidents? For example, lost/stolen laptop

containing (possibly notice-triggering) personal information: Report as information security incident, not property theft

48

Privacy Awareness

Privacy Inventory raises awareness of privacy vulnerabilities and protection requirementsOngoing awareness training for all users is essential Coming soon from COPP

49

End of Presentation

QuestionsComments