Privacy Act: System of Records Notices and Privacy Act Statements TRICARE Management Activity HEALTH...

Privacy Act: System of Records Notices and Privacy Act Statements

TRICARE Management ActivityHEALTH AFFAIRS

2009 Data Protection Seminar

TMA Privacy Office


3


Purpose

The purpose of this presentation is to provide an overview of the Privacy Act and its various implementing regulations that protect the solicitation, collection, and use of individual information and the maintenance of such information in systems of records


4


Objectives Upon completion of this presentation, you should be able to:

− Explain the scope of the Privacy Act and the rights it protects related to personally identifiable information (PII)

− Identify the definition of System of Records Notice (SORN)

− Identify the definition of Privacy Act Statement (PAS)


5


Brief Overview of the Privacy Act of 1974 Statutory Authority

− Codified as 5 U.S.C. § 552(a), as implemented by Office of Management and Budget (OMB) Circular No. A-130

DoD Regulatory Authority

− DoD Directive 5400.11

− DoD 5400.11-R

− Office of the Secretary of Defense (OSD) Administrative Instruction (AI) No. 81


6


Purpose of the Privacy Act To safeguard information that Federal records contain

pertaining to individuals

To provide access to individuals to correct inaccuracies in their information

To balance individual privacy interests with the government’s need to maintain information about them

To provide remedies for wrongful disclosures


7


What the Privacy Act Protects Examples of information the Privacy Act protects

− Social Security Numbers (SSNs)

− Home address

− Home telephone

− Date of birth (year included)

− Personal medical information

− Personal/private information (e.g., financial)

A personal identifier is something that identifies, relates, or is unique to an individual


8


Records Containing Protected Information Whenever a Federal agency maintains information about

individuals and retrieves it using a personal identifier, the record system is a Privacy Act “system of records”

− A record is any item, collection, or group of information about an individual that is stored

− A system of records is a group of records under the control of a DoD Component where there is retrieval of individuals’ information by some identifying number, symbol, or other identifier assigned to the individual


9


Disclosures and Exceptions No agency shall disclose any record contained in a system of

records by any means of communication without a written request or prior consent of the individual to whom the record pertains

Ten (10) exceptions exist permitting use/disclosure without individual consent. Examples include:

− Routine use “for a purpose compatible to purpose of collection”

− Systems of records that do not retrieve records using a personal identifier

System of Records Notice



11


System of Records Notices The Privacy Act requires agencies to identify systems of

records that allow for the collection of information retrieved using a personal identifier; and, to publish a SORN in the Federal Register of new or revised systems of record to provide an opportunity for interested persons to comment

- This informs the general public of what data is being collected, the purpose and authority for such collection, and the rules agencies must follow in collecting and maintaining individual information


12

Privacy Act: System of Records Notices and Privacy Act Statements On the Road to Compliance

SORNs operate like an auto insurance policy by describing what is covered and how much protection is provided; and, just like an auto policy is required to operate a car, a SORN is required to operate a system of records


13

Privacy Act: System of Records Notices and Privacy Act Statements SORN Elements System name

Classification

Location

Authority for maintenance

Purpose

Uses and categories of users

Policies and practices

System manager

Notification procedures

Record access procedures

Contest procedures

Record source categories

Exemptions claimed


14


On the Road to Compliance

Just like an auto policy describes the owner’s information, address, coverage, etc., a SORN does much of the same by complying with Privacy Act requirements to provide important information about systems of records


15

Privacy Act: System of Records Notices and Privacy Act Statements The Role of the TMA Privacy Office Coordinate all SORN submissions for HA and TMA

Serve as the point of contact as for all new, altered, amended, changed, or deleted systems as appropriate (and for submission to OSD and Joint Staff (OSD/JS) for eventual publication as SORNs)

Coordinate with program/system managers to review policies, practices that apply to new or existing systems

Maintain the OSD specific inventory of SORNs for TMA


16

Privacy Act: System of Records Notices and Privacy Act Statements The Role of Program Offices Perform a risk assessment to analyze threats to and

vulnerabilities of a computer system, and the potential impact of the loss of information − http://www.tricare.mil/tmaprivacy/SORWEBSampleRiskAssessment26Mar04.doc

Obtain and complete a system notice format certification document available through the OSD/JS Privacy Office − http://www.dod.mil/pubs/foi/privacy/System_Notice_Certification.xls

http://www.tricare.mil/tmaprivacy/SORWEBSampleRiskAssessment26Mar04.doc

http://www.dod.mil/pubs/foi/privacy/System_Notice_Certification.xls


17

Privacy Act: System of Records Notices and Privacy Act Statements The Role of Program Offices (continued)

Prepare a new or revised narrative statement− http://www.tricare.mil/tmaprivacy/SORWEBNarStatement.doc

Incorporate the changes and updates from the system format document and those in the narrative statement into a final SORN and submit it to the TMA Privacy Office for review at [email protected]− http://www.tricare.mil/tmaprivacy/SORWEB-InstructionsSystemNotice.doc

http://www.tricare.mil/tmaprivacy/SORWEBNarStatement.doc

mailto:[email protected]

http://www.tricare.mil/tmaprivacy/SORWEB-InstructionsSystemNotice.doc

Privacy Act Statements



19

Privacy Act: System of Records Notices and Privacy Act Statements Privacy Act Statements The Privacy Act requires that when an agency solicits

information from an individual for a system of records that it must inform the individual in writing of the following:

− Authority

− Principal purpose

− Routine uses

− Whether disclosure is mandatory or voluntary


20

Privacy Act: System of Records Notices and Privacy Act Statements On the Road to Compliance

On the road to compliance, a Privacy Act Statement is just like the flashing stop sign on the side of a school bus, there are consequences to ignoring either


21

Privacy Act: System of Records Notices and Privacy Act Statements Penalties for Non-Compliance Non-compliance with the Privacy Act carries misdemeanor

criminal penalties and fines of up to $5000 for:

− Soliciting or collecting individual data under false pretenses

− Unauthorized disclosure without written permission or consent

− Maintaining or collecting data for a system of records without meeting public notice requirements

There are also substantial civil penalties including awards for actual damages, payment of reasonable attorney fees, and removal from employment


22

Privacy Act: System of Records Notices and Privacy Act Statements Social Security Number Solicitation When soliciting personal information from an individual for

inclusion in a system of records, and especially when an SSN is solicited/collected, a Privacy Act Statement must be provided

Note: The Privacy Act makes it unlawful to deny any benefit, right, or privilege provided by law because the individual refuses to disclose their SSN


23


Safeguards Personal information shall be collected, maintained, used, or

disclosed, subject to appropriate safeguards

− Administrative

− Physical

− Technical


24


On the Road to Compliance

Visibility matters. A stop sign is universally recognized because of it's shape and color; however it fails to provide its intended protection on the side of a bus if it is not extended, flashing, and otherwise prominently visible. The same is true with Privacy Act Statements; placement and visibility, are just as crucial to Privacy Act Statements as the information they convey


25

Privacy Act: System of Records Notices and Privacy Act Statements Placement of Privacy Act Statements On forms: At the top of the page immediately under the title

On surveys: At the beginning of the survey in a cover memo or attached directly to the survey

On web pages: Conspicuously placed, at or before the point of collection

For mass collections: In the largest print possible to promote visibility by all


26

Privacy Act: System of Records Notices and Privacy Act Statements Summary You should now be able to:

− Explain the scope of the Privacy Act and the rights it protects related to PII

− Identify the definition of SORN

− Identify the definition of PAS


27

Privacy Act: System of Records Notices and Privacy Act Statements Resources The Privacy Act of 1974, as amended (5 U.S.C § 552a) OMB Circular No. A-130 OMB Memorandum 99-05, and Attachment B DoD Directive 5400.11 DoD Regulation 5400.11-R OSD Administrative Instruction No. 81 SORN questions/comments: [email protected] Privacy Act questions/comments

− DoD Privacy Office: www.defenselink.mil/privacy

− TMA Privacy Office: [email protected]

Privacy Act: System of Records Notices and Privacy Act Statements TRICARE Management Activity HEALTH...

Documents

Transcript of Privacy Act: System of Records Notices and Privacy Act Statements TRICARE Management Activity HEALTH...