Privacy Act: System of Records Notices and Privacy Act Statements TRICARE Management Activity HEALTH...
-
Upload
erick-thornbrugh -
Category
Documents
-
view
225 -
download
7
Transcript of Privacy Act: System of Records Notices and Privacy Act Statements TRICARE Management Activity HEALTH...
Privacy Act: System of Records Notices and Privacy Act Statements
TRICARE Management ActivityHEALTH AFFAIRS
2009 Data Protection Seminar
TMA Privacy Office
Privacy Act: System of Records Notices and Privacy Act Statements
TRICARE Management ActivityHEALTH AFFAIRS
TRICARE Management ActivityHEALTH AFFAIRS
3
Privacy Act: System of Records Notices and Privacy Act Statements
Purpose
The purpose of this presentation is to provide an overview of the Privacy Act and its various implementing regulations that protect the solicitation, collection, and use of individual information and the maintenance of such information in systems of records
TRICARE Management ActivityHEALTH AFFAIRS
4
Privacy Act: System of Records Notices and Privacy Act Statements
Objectives Upon completion of this presentation, you should be able to:
− Explain the scope of the Privacy Act and the rights it protects related to personally identifiable information (PII)
− Identify the definition of System of Records Notice (SORN)
− Identify the definition of Privacy Act Statement (PAS)
TRICARE Management ActivityHEALTH AFFAIRS
5
Privacy Act: System of Records Notices and Privacy Act Statements
Brief Overview of the Privacy Act of 1974 Statutory Authority
− Codified as 5 U.S.C. § 552(a), as implemented by Office of Management and Budget (OMB) Circular No. A-130
DoD Regulatory Authority
− DoD Directive 5400.11
− DoD 5400.11-R
− Office of the Secretary of Defense (OSD) Administrative Instruction (AI) No. 81
TRICARE Management ActivityHEALTH AFFAIRS
6
Privacy Act: System of Records Notices and Privacy Act Statements
Purpose of the Privacy Act To safeguard information that Federal records contain
pertaining to individuals
To provide access to individuals to correct inaccuracies in their information
To balance individual privacy interests with the government’s need to maintain information about them
To provide remedies for wrongful disclosures
TRICARE Management ActivityHEALTH AFFAIRS
7
Privacy Act: System of Records Notices and Privacy Act Statements
What the Privacy Act Protects Examples of information the Privacy Act protects
− Social Security Numbers (SSNs)
− Home address
− Home telephone
− Date of birth (year included)
− Personal medical information
− Personal/private information (e.g., financial)
A personal identifier is something that identifies, relates, or is unique to an individual
TRICARE Management ActivityHEALTH AFFAIRS
8
Privacy Act: System of Records Notices and Privacy Act Statements
Records Containing Protected Information Whenever a Federal agency maintains information about
individuals and retrieves it using a personal identifier, the record system is a Privacy Act “system of records”
− A record is any item, collection, or group of information about an individual that is stored
− A system of records is a group of records under the control of a DoD Component where there is retrieval of individuals’ information by some identifying number, symbol, or other identifier assigned to the individual
TRICARE Management ActivityHEALTH AFFAIRS
9
Privacy Act: System of Records Notices and Privacy Act Statements
Disclosures and Exceptions No agency shall disclose any record contained in a system of
records by any means of communication without a written request or prior consent of the individual to whom the record pertains
Ten (10) exceptions exist permitting use/disclosure without individual consent. Examples include:
− Routine use “for a purpose compatible to purpose of collection”
− Systems of records that do not retrieve records using a personal identifier
System of Records Notice
TRICARE Management ActivityHEALTH AFFAIRS
TRICARE Management ActivityHEALTH AFFAIRS
11
Privacy Act: System of Records Notices and Privacy Act Statements
System of Records Notices The Privacy Act requires agencies to identify systems of
records that allow for the collection of information retrieved using a personal identifier; and, to publish a SORN in the Federal Register of new or revised systems of record to provide an opportunity for interested persons to comment
- This informs the general public of what data is being collected, the purpose and authority for such collection, and the rules agencies must follow in collecting and maintaining individual information
TRICARE Management ActivityHEALTH AFFAIRS
12
Privacy Act: System of Records Notices and Privacy Act Statements On the Road to Compliance
SORNs operate like an auto insurance policy by describing what is covered and how much protection is provided; and, just like an auto policy is required to operate a car, a SORN is required to operate a system of records
TRICARE Management ActivityHEALTH AFFAIRS
13
Privacy Act: System of Records Notices and Privacy Act Statements SORN Elements System name
Classification
Location
Authority for maintenance
Purpose
Uses and categories of users
Policies and practices
System manager
Notification procedures
Record access procedures
Contest procedures
Record source categories
Exemptions claimed
TRICARE Management ActivityHEALTH AFFAIRS
14
Privacy Act: System of Records Notices and Privacy Act Statements
On the Road to Compliance
Just like an auto policy describes the owner’s information, address, coverage, etc., a SORN does much of the same by complying with Privacy Act requirements to provide important information about systems of records
TRICARE Management ActivityHEALTH AFFAIRS
15
Privacy Act: System of Records Notices and Privacy Act Statements The Role of the TMA Privacy Office Coordinate all SORN submissions for HA and TMA
Serve as the point of contact as for all new, altered, amended, changed, or deleted systems as appropriate (and for submission to OSD and Joint Staff (OSD/JS) for eventual publication as SORNs)
Coordinate with program/system managers to review policies, practices that apply to new or existing systems
Maintain the OSD specific inventory of SORNs for TMA
TRICARE Management ActivityHEALTH AFFAIRS
16
Privacy Act: System of Records Notices and Privacy Act Statements The Role of Program Offices Perform a risk assessment to analyze threats to and
vulnerabilities of a computer system, and the potential impact of the loss of information − http://www.tricare.mil/tmaprivacy/SORWEBSampleRiskAssessment26Mar04.doc
Obtain and complete a system notice format certification document available through the OSD/JS Privacy Office − http://www.dod.mil/pubs/foi/privacy/System_Notice_Certification.xls
TRICARE Management ActivityHEALTH AFFAIRS
17
Privacy Act: System of Records Notices and Privacy Act Statements The Role of Program Offices (continued)
Prepare a new or revised narrative statement− http://www.tricare.mil/tmaprivacy/SORWEBNarStatement.doc
Incorporate the changes and updates from the system format document and those in the narrative statement into a final SORN and submit it to the TMA Privacy Office for review at [email protected]− http://www.tricare.mil/tmaprivacy/SORWEB-InstructionsSystemNotice.doc
Privacy Act Statements
TRICARE Management ActivityHEALTH AFFAIRS
TRICARE Management ActivityHEALTH AFFAIRS
19
Privacy Act: System of Records Notices and Privacy Act Statements Privacy Act Statements The Privacy Act requires that when an agency solicits
information from an individual for a system of records that it must inform the individual in writing of the following:
− Authority
− Principal purpose
− Routine uses
− Whether disclosure is mandatory or voluntary
TRICARE Management ActivityHEALTH AFFAIRS
20
Privacy Act: System of Records Notices and Privacy Act Statements On the Road to Compliance
On the road to compliance, a Privacy Act Statement is just like the flashing stop sign on the side of a school bus, there are consequences to ignoring either
TRICARE Management ActivityHEALTH AFFAIRS
21
Privacy Act: System of Records Notices and Privacy Act Statements Penalties for Non-Compliance Non-compliance with the Privacy Act carries misdemeanor
criminal penalties and fines of up to $5000 for:
− Soliciting or collecting individual data under false pretenses
− Unauthorized disclosure without written permission or consent
− Maintaining or collecting data for a system of records without meeting public notice requirements
There are also substantial civil penalties including awards for actual damages, payment of reasonable attorney fees, and removal from employment
TRICARE Management ActivityHEALTH AFFAIRS
22
Privacy Act: System of Records Notices and Privacy Act Statements Social Security Number Solicitation When soliciting personal information from an individual for
inclusion in a system of records, and especially when an SSN is solicited/collected, a Privacy Act Statement must be provided
Note: The Privacy Act makes it unlawful to deny any benefit, right, or privilege provided by law because the individual refuses to disclose their SSN
TRICARE Management ActivityHEALTH AFFAIRS
23
Privacy Act: System of Records Notices and Privacy Act Statements
Safeguards Personal information shall be collected, maintained, used, or
disclosed, subject to appropriate safeguards
− Administrative
− Physical
− Technical
TRICARE Management ActivityHEALTH AFFAIRS
24
Privacy Act: System of Records Notices and Privacy Act Statements
On the Road to Compliance
Visibility matters. A stop sign is universally recognized because of it's shape and color; however it fails to provide its intended protection on the side of a bus if it is not extended, flashing, and otherwise prominently visible. The same is true with Privacy Act Statements; placement and visibility, are just as crucial to Privacy Act Statements as the information they convey
TRICARE Management ActivityHEALTH AFFAIRS
25
Privacy Act: System of Records Notices and Privacy Act Statements Placement of Privacy Act Statements On forms: At the top of the page immediately under the title
On surveys: At the beginning of the survey in a cover memo or attached directly to the survey
On web pages: Conspicuously placed, at or before the point of collection
For mass collections: In the largest print possible to promote visibility by all
TRICARE Management ActivityHEALTH AFFAIRS
26
Privacy Act: System of Records Notices and Privacy Act Statements Summary You should now be able to:
− Explain the scope of the Privacy Act and the rights it protects related to PII
− Identify the definition of SORN
− Identify the definition of PAS
TRICARE Management ActivityHEALTH AFFAIRS
27
Privacy Act: System of Records Notices and Privacy Act Statements Resources The Privacy Act of 1974, as amended (5 U.S.C § 552a) OMB Circular No. A-130 OMB Memorandum 99-05, and Attachment B DoD Directive 5400.11 DoD Regulation 5400.11-R OSD Administrative Instruction No. 81 SORN questions/comments: [email protected] Privacy Act questions/comments
− DoD Privacy Office: www.defenselink.mil/privacy
− TMA Privacy Office: [email protected]