I. U.S. Government Privacy Laws

Similar documents
Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU)

ANNUAL PRIVACY REPORT

5 FAM 620 INFORMATION TECHNOLOGY (IT) PROJECT MANAGEMENT

Crew Member Self Defense Training (CMSDT) Program

Identity and Access Management Initiatives in the United States Government

NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO TABLE OF CONTENTS

Privacy Impact Assessment

This Instruction implements Department of Homeland Security (DHS) Directive , Privacy Policy for Operational Use of Social Media.

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Privacy Committee Web 2.0/Cloud Computing Subcommittee

Privacy Impact Assessment. For Person Authentication Service (PAS) Date: January 9, 2015

Port Authority of New York/New Jersey Secure Worker Access Consortium Vetting Services

INFORMATION PROCEDURE

Web Time and Attendance

Privacy Impact Assessment (PIA) Waiver Review System (WRS) Version Last Updated: December 2, 2013

Privacy Impact Assessment for TRUFONE Inmate Telephone System

Homeland Security Virtual Assistance Center

SUMMARY: The Office of the Secretary of Defense proposes to. alter a system of records notice DPFPA 02, entitled Pentagon

A. Title 5, United States Code (U.S.C.), Section 552a, Records Maintained On Individuals (The Privacy Act of 1974)

Office of Inspector General

Department of Defense DIRECTIVE

E X E C U T I V E O F F I CE O F T H E P R E S I D EN T

SECTION-BY-SECTION. Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012.

Integrated Financial Management Information System (IFMIS) Merger

Physical Access Control System

General Support System

Department of the Interior Privacy Impact Assessment

NATIONAL HEALTHCARE SAFETY NETWORK USER RULES OF BEHAVIOR. Version /08/05

DEPARTMENT OF THE INTERIOR. Privacy Impact Assessment Guide. Departmental Privacy Office Office of the Chief Information Officer

PRIVACY IMPACT ASSESSMENT (PIA) GUIDE

Privacy Impact Assessment for Threat Assessments for Access to Sensitive Security Information for Use in Litigation December 28, 2006

REMEDY Enterprise Services Management System

POSTAL REGULATORY COMMISSION

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

[Company Name] HIPAA Security Awareness and Workforce Training Program Manual

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

Privacy Impact Assessment. For Personnel Development Program Data Collection System (DCS) Date: June 1, 2014

Privacy Impact Assessment (PIA) Consular Affairs Enterprise Service Bus (CAESB) Last Updated: May 1, 2015

INFORMATION DIRECTIVE GUIDANCE GUIDANCE FOR MANUALLY COMPLETING INFORMATION SECURITY AWARENESS TRAINING

OFFICE OF INSPECTOR GENERAL. Audit Report. Evaluation of the Railroad Retirement Board Medicare Contractor s Information Security

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

United States Antarctic Program Information Resource Management Directive The USAP Information Security Program

Stakeholder Engagement Initiative: Customer Relationship Management

Federal Bureau of Prisons. Privacy Impact Assessment for the HR Automation System. Issued by: Sonya D. Thompson Deputy Assistant Director/CIO

Briefing Outline. Overview of the CUI Program. CUI and IT Implementation

United States Visitor and Immigrant Status Indicator Technology Program (US-VISIT)

In order to adjudicate an appeal, OPM requires claimants or their authorized representatives to submit the following information:

May 2 1,2009. Re: DHS Data Privacy and Integrity Advisory Committee White Paper on DHS Information Sharing and Access Agreements

United States Trustee Program

Privacy Act of 1974; Department of Homeland Security <Component Name> - <SORN. AGENCY: Department of Homeland Security, Privacy Office.

FITSP-Auditor Candidate Exam Guide

Virginia Systems Repository (VSR): Data Repositories DHS/FEMA/PIA 038(a)

SYSTEM NAME: Digital Identity Access Management System (DIAMS) - P281. SYSTEM LOCATION: U.S. Department of Housing and Urban Development, 451 Seventh

Privacy Impact Assessment. For. Non-GFE for Remote Access. Date: May 26, Point of Contact and Author: Michael Gray

Clearances, Logistics, Employees, Applicants, and Recruitment (CLEAR)

Privacy Impact Assessment. For Education s Central Automated Processing System (EDCAPS) Date: October 29, 2014

FHFA. Privacy Impact Assessment Template FM: SYSTEMS (SYSTEM NAME)

Student Administration and Scheduling System

Federal Trade Commission Privacy Impact Assessment

PRIVACY IMPACT ASSESSMENT (PIA) For the

Secure Gateway (EMSG)

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

Automated Threat Prioritization Web Service

Screening of Passengers by Observation Techniques (SPOT) Program

Middle Class Economics: Cybersecurity Updated August 7, 2015

Department of State SharePoint Server PIA

Gaming System Monitoring and Analysis Effort

DEPARTMENTAL REGULATION

Accounting Package (ACCPAC)

Integrated Digitization Document Management Program (IDDMP)

NOC Patriot Report Database

Federal Trade Commission Privacy Impact Assessment. for the: Analytics Consulting LLC Claims Management System and Online Claim Submission Website

SUMMARY: The Defense Health Agency proposes to alter an. existing system of records, EDTMA 02, entitled "Medical/Dental

PROCESSING CLASSIFIED INFORMATION ON PORTABLE COMPUTERS IN THE DEPARTMENT OF JUSTICE

Justice Management Division

Our Commitment to Information Security

Standards for Security Categorization of Federal Information and Information Systems

GAO ELECTRONIC GOVERNMENT ACT. Agencies Have Implemented Most Provisions, but Key Areas of Attention Remain

Transcription:

I. U.S. Government Privacy Laws A. Privacy Definitions and Principles a. Privacy Definitions i. Privacy and personally identifiable information (PII) b. Privacy Basics Definition of PII 1. Office of Management and Budget (OMB) Memorandum M-07-16: Safeguarding Against and Responding to the Breach of Personally Identifiable Information 2. OMB Memorandum M-10-23: Guidance for Agency Use of Third-Party Websites and Applications i. Privacy as a core value in U.S. government 1. Confidence and trust a. OMB Memorandum M-03-22: OMB Guidance for Implementing the Privacy Provisions of the E- Government Act of 2002 2. Mission effectiveness a. Federal CIO Council Privacy Committee White Paper: Best Practices: Elements of a Federal Privacy Program 1. Leadership 2. Privacy risk management and compliance documentation 3. Information security

4. Incident response a. OMB Memorandum M-07-16: Safeguarding Against and Responding to the Breach of Personally Identifiable Information b. OMB Memorandum issued September 20, 2006: Recommendations for Identity Theft Related Data Breach Notification 5. Notice and redress for individuals 6. Privacy training and awareness 7. Accountability 3. Conflict/tension/intersection of privacy and national security c. Fair Information Practice Principles i. The U.S. Department of Housing Education and Welfare (HEW) Report of 1973 Relationship to Organisation for Economic Co-operation and Development (OECD) Guidelines i Examples of Federal Agency approaches to FIPPs B. The Privacy Act and the E-Government Act a. The Privacy Act of 1974 (as amended) i. Purpose and policy objectives Scope and definitions 1. Agency 2. Individual 3. Record 4. System of records a. Retrieval requirement b. System of Records Notice (SORN) 1. Publication 2. Elements i No disclosure without consent 1. 12 exceptions a. Internal disclosures b. External disclosures 1. Routine uses 2. Other authorized disclosures 3. Accountings

iv. Agency requirements 1. Collection 2. Maintenance 3. Notice 4. Record standards 5. Access and amendment 6. Safeguards 7. Contractors 8. Computer matching 9. Reporting 10. Social Security numbers v. Exemptions vi. Civil remedies and criminal penalties v Office of Management and Budget 1. Statutory government-wide guidance authority, 5 U.S.C. 552a(v) 2. OMB, Privacy Act Implementation, Guidelines and Responsibilities, 40 Fed. Reg. 28,948 (1975), and supplemental guidance b. The E-Government Act of 2002, Section 208 of the E-Government Act of 2002 (E-Gov Act) (P.O. 107-347) i. OMB Memorandum M-03-22: OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (September 26, 2003) OMB Memorandum M-10-22: Guidance for Online Use of Web Measurement and Customization Technologies (June 25, 2010) i OMB Memorandum M-10-23: Guidance for Agency Use of Third-Party Websites and Applications (June 10, 2010) iv. Website privacy policy (Section 208) 1. OMB Memorandum M-99-18, Attachment: Guidance and Model Language for Federal Web Site Privacy Policies 2. OMB Memorandum M-03-22, Appendix A, Section III.: Privacy Policies on Agency Websites 3. Contents of privacy policy a. Consent to collection and sharing b. Requirements on agencies c. Rights of individuals d. Comply with the Children s Online Privacy Protection Act (COPPA)

v. Modifications to prior OMB guidelines 1. Notice options 2. Machine-readable privacy policy vi. Privacy Impact Assessments (PIAs) 1. When required 2. Timing 3. Content 4. Exceptions a. National security systems b. Systems previously assessed under a PIA c. Internal government operations d. Systems collecting non-pii 5. PIAs versus SORNs 1. Government websites 6. Publication requirements 7. Reporting requirements 8. Requirements for social media and third-party websites (adapted PIAs) 9. Relationship to the Privacy Act of 1974 a. OMB Memorandum M-06-15: Safeguarding Personally Identifiable Information b. OMB Memorandum M-06-16: Protection of Sensitive Agency Information C. Other Laws and Regulations Affecting U.S. Government Privacy Practice a. Consolidated Appropriations Act of 2005 i. Chief privacy officer and audit provisions OMB Memorandum M-05-08: Designation of Senior Agency Officials for Privacy b. The Federal Information Security Management Act of 2002 (FISMA) i. Federal agency responsibilities 1. Agency program 2. Agency reporting 3. Performance program System vs. enterprise compliance 1. PIA versus security assessment and authorization

2. National Institute of Standards and Technology (NIST) risk management framework a. SP 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) b. SP 800-53: Recommended Security Controls for Federal Information Systems and Organizations c. SP 800-64: Security Considerations in the System Development Life Cycle d. Federal Information Processing Standards Publication 199 (FIPS 199): Standards for Security Categorization of Federal Information and Information Systems e. FIPS 200: Minimum Security Requirements for Federal Information and Information Systems i OMB reporting instructions for FISMA c. The Freedom of Information Act of 1974 (FOIA) i. Publicly available information 1. Regulations FOIA requests 1. Interface with the Privacy Act 2. Exemptions under the Act 3. Exclusions under the Act d. Paperwork Reduction Act of 1995, 44 U.S.C. 3501-3521 i. OMB Memorandum, April 7, 2010: Social Media, Web-Based Interactive Technologies, and the Paperwork Reduction Act e. The Data Quality Act of 2002 i. OMB guidance Agency requirements i Administrative mechanisms iv. Periodic reporting f. Federal open meetings laws i. Federal Advisory Committee Act (FACA) Government in the Sunshine Act g. Open Government Directive i. OMB Memorandum M-10-06 h. Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA) i. Controlled Unclassified Information (CUI) Office Notice 2011-01: Initial Implementation Guidance for Executive Order 13556

D. Privacy and the Federal Government Intelligence Community a. The Federal Intelligence Community and the Information Sharing Environment (ISE) i. ISE Privacy Guidelines Implementing Recommendations of the 9/11 Commission Act of 2007 i Title VIII: Privacy and Civil Liberties 1. Section 801: Modification of Authorities Relating to Privacy and Civil Liberties Oversight Board 2. Section 802: Department Privacy Officer 3. Section 803: Privacy and Civil Liberties Officers 4. Section 804: Federal Agency Data Mining Reporting Act of 2007 E. Other Federal Information Privacy Laws and Authorities Affecting Government Practice a. Laws affecting both the public and private sectors i. Family Educational Rights and Privacy Act of 1974 (FERPA) II. Health Insurance Portability and Accountability Act of 1998 (HIPAA) i Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) iv. Children s Online Privacy Protection Act of 2000 (COPPA) v. Financial Services Modernization Act of 1999 ( Gramm-Leach-Bliley Act or GLBA) vi. Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003 (The Red Flags Rule) b. Laws Limiting Government Access i. Bank Secrecy Act of 1970 Foreign Intelligence Surveillance Act of 1978 (FISA) i Right to Financial Privacy Act of 1978 iv. Electronic Communications Privacy Act of 1986 (ECPA) v. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA- PATRIOT) vi. The Real ID Act of 2005 v Cable Communications Policy Act 1984 U.S. Government Privacy Practices A. Privacy Program Management and Organization a. Program development i. Federal CIO Council Privacy Committee White Paper: Best Practices: Elements of a Federal Privacy Program Program elements

b. Program management i. FISMA model Federal Enterprise Architecture Security and Privacy Profile i The Annual OMB Memorandum on Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management c. Federal agency responsibilities i. All agencies Department of Commerce i Office of Personnel Management (OPM) iv. National Archives and Records Administration (NARA) v. Office of Management and Budget (OMB) d. Protecting PII i. U.S. Department of Homeland Security and OMB white paper: Common Risks Impeding Adequate Protection of Government Information The President s identity task force report i OMB Memorandum M-07-16: Safeguarding Against and Responding to the Breach of Personally Identifiable Information e. U.S. Government workforce management i. Workforce hiring considerations 1. Office of Personnel Management a. OPM Memorandum: Guidance on Protecting Federal Employee and Social Security Numbers and Combating Identity Theft (June 18, 2007) 2. Background screening and investigations a. Levels of screening b. Financial and medical records 3. Monitoring all use of Federal Government Agency Networks 4. Surveillance in Federal Government Buildings Federal identity management and authentication f. Privacy policy enforcement 1. Homeland Security Presidential Directive (HSPD)-12 2. Federal Identity, Credential and Access Management (FICAM) 3. OMB Memorandum M-04-04: E-Authentication Guidance for Federal Agencies i. Single or multiple policies for each agency Sample approaches

B. Records Management a. Management Process 1. Census Bureau 2. Internal Revenue Service (IRS) 3. Department of Homeland Security (DHS) 4. Department of Defense (DoD) i. OMB Circular A-130: Management of Federal Information Resources b. Record retention NIST SP 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems c. Inter-agency sharing of personal data i. OMB Memorandum M-11-02: Sharing Data While Protecting Privacy OMB Memorandum M-01-05: Guidance on Inter-Agency Sharing of Personal Data Protecting Personal Privacy i OMB Memorandum M-04-26: Personal Use Policies and File Sharing Technology iv. Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988 d. Common Rule for Protection of Human Subjects i. Institutional review boards (IRBs) e. Disclosure of PII for statistical or research purposes i. Government source to third parties Disclosure avoidance and the challenge of big data i CIPSEA impact for selected agencies C. Auditing and Compliance Monitoring a. Auditing i. Pre-audit (e.g. PIA) Post-audit (e.g. periodic review of disclosure audit trails) i Assessments vs. audits b. Compliance monitoring and reporting i. Office of Management and Budget (OMB) Inspector General (IG) i Government Accountability Office (GAO) iv. Department of Justice (DOJ) v. Department of Health and Human Services (HHS) 1. Office for Civil Rights (OCR)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information