SlideShare a Scribd company logo

Sec af pa slides

Download as PPT, PDF
W
wrightjr02
1 of 21
Headquarters U.S. Air Force Integrity - Service - Excellence Safeguarding of Personally Identifying Information a.k.a. Privacy Act Data – It is Your Duty! Privacy Act Educational Awareness for all Air Force Employees – Military Members, Civilians, Air Force Reserve, Air National Guard, & Contractors
Why You are Being Asked to Take this Educational Awareness Now…  In a number of recent incidents, personal data has been lost, stolen, or compromised  The Office of Management and Budget (OMB), the Federal entity responsible for overseeing the Privacy Act (PA), has mandated that the Federal workforce complete this educational awareness briefing  Because personal information is handled by a wide number of Air Force offices, it is imperative that all personnel understand and apply guidance on the proper handling of this sensitive information  To preclude YOU or a member of your staff from being the subject of an investigation Integrity - Service - Excellence 2
Criminal Penalties for Noncompliance with the Privacy Act  For knowingly and willfully disclosing Privacy Act protected data to any person not entitled to access:  Misdemeanor criminal charge, and a fine of up to $5,000 per incident  For maintaining a System of Records without meeting the public notice requirements:  Misdemeanor criminal charge, and a fine of up to $5,000  For knowingly and willfully requesting or obtaining records under false pretenses:  Misdemeanor criminal charge, and a fine of up to $5,000 Integrity - Service - Excellence 3
Civil Penalties for Noncompliance with the Privacy Act  The Privacy Act also imposes civil penalties on violators (normally the agency) who:  Unlawfully refuse to amend a record  Unlawfully refuse to grant access to records  Fail to maintain accurate, relevant, timely and complete data  Fail to comply with any Privacy Act provision or agency rule that results in an adverse effect  Penalties include:  Payment of actual damages  Payment of reasonable attorney’s fees  Removal from employment Integrity - Service - Excellence 4
Safeguarding Requirements  Three Levels of Safeguards are Required:  Administrative  Physical  Technical  These individuals are responsible for establishing safeguards:  Information Technology System Designers  Privacy Act System Managers  Local Privacy Act Officials  And you (all Airman)… Remember: YOU are responsible for ensuring that safeguards are applied! Integrity - Service - Excellence 5
If You Have Access to Personal Data...  Protect it at all times  Do not share it with anyone unless:  The recipient is listed in Section (b) of the Privacy Act  The subject of the record has given you written permission to disclose it to the recipient  Password protect personal data placed on shared drives, the Internet, or the Intranet  Monitor your actions: For example, “If I do this, will I increase the risk of unauthorized access?” Remember: You may be subject to civil and criminal penalties for violating the Privacy Act Integrity - Service - Excellence 6
Tips for Avoiding Privacy Breaches…  Take privacy protection seriously  Respect the privacy of others  Report to your supervisor or other management official when you see personal data left unattended  Know the Privacy Act requirements. Refer to the following governing publications for additional guidance: AFI 33-332, Privacy Act Program, which implements DoDD 5400.11, DoD Privacy Program; and DoD 5400.11-R, DoD Privacy Program  Also, visit the following Web Sites: http://www.dtic.mil/whs/directives/corres/html/540011.htm http://www.foia.af.mil/Privacy Integrity - Service - Excellence 7
Reporting Inappropriate Disclosures  Immediately notify:  Your supervisor  Your local Privacy Act Officer  The Privacy Act System Manager  And any other appropriate official of the occurrence  For World Wide Web postings - make a note of where the information was posted by copying the Uniform Resource Locator (URL)  The URL is the address listed at the top of the screen. Most URLs begin http://www Integrity - Service - Excellence 8
Air Force Freedom of Information Act (FOIA) and Privacy Act (PA) Points of Contact  For additional information, inquiries, and or questions, you may contact your base, MAJCOM, FOA, or DRU FOIA/PA Manager identified on the attached FOIA/PA listing Integrity - Service - Excellence 9
Thank you for completing this important educational awareness briefing! …there is more Privacy Act related information found in the back-up slides… Such as: purposes of The Privacy Act of 1974, key Privacy Act terminology, marking Privacy Act protected data, information on transporting Privacy Act protected data, storing Privacy Act protected data, disposing of Privacy Act protected data, sharing of Privacy Act protected data, information for telecommuters, and controlled unclassified information types and references Integrity - Service - Excellence 10
Headquarters U. S. Air Force Safeguarding of Personally Identifying Information a.k.a. Privacy Act Data – It is Your Duty! Back-up Slides Integrity - Service - Excellence 11
The Privacy Act of 1974  The Privacy Act of 1974 is intended to balance the Government’s need for information against the individual’s right to privacy. Among it purposes, the Privacy Act of 1974 is intended to:  Give individuals access to records kept on them  Allow individuals to correct errors in those records  Limit information that is collected to what is relevant and necessary  Restrict access to personal information by third parties— that is, to protect the privacy interests of the subject from any other person, with some exceptions  To provide remedies for non-compliance with the Privacy Act of 1974 Integrity - Service - Excellence 12
Key Privacy Act Terminology  The following are key terms used in Privacy Act discussions:  Record: Any item or collection of information about an individual which is maintained by an agency and which contains that person’s name or other identifying particulars  System of Records: A group of records under the control of an agency from which information is (not can be) retrieved by name of the individual or by some personal identifier  Personal Information: The types of information protected by the Privacy Act of 1974—distinguish from “official information” which is generally not protected  Examples of “personal information” are: Social Security number, martial status, number and sex of dependents, home of record, age and date of birth, home address, and telephone number  Examples of “official information” are: Name, military rank and date of rank, pay and special pay, military awards and decorations, and current assignment Integrity - Service - Excellence 13
Marking Privacy Act Protected Data  Privacy Act protected data are to be handled as “For Official Use Only” (FOUO), see DoD 5200.1-R, Information Security Program, Appendix 3, located at this Web Site: http://www.dtic.mil/whs/directives/corres/html/52001r.htm  Mark Privacy Act protected data with a handling notice when it is created or received:  “For Official Use Only – Privacy Act of 1974”  “For Official Use Only – Privacy Act Protected Data”  Place the FOUO marks at the top or bottom of each page or screen. Classified records are marked on both the top and bottom of the page as well as at each paragraph  Before disseminating Privacy Act protected data, make sure it carries the FOUO handling notice Integrity - Service - Excellence 14
Transporting Privacy Act Protected Data  Using Ground Mail:  Use brown or white envelopes to mail documents  Never use “holey joes” or messenger-type envelopes  You may double wrap the documents using an inner and outer envelope, if you deem it appropriate  Mark the envelope to the attention of an authorized recipient  Never indicate on the outer envelope that the contents contain Privacy Act protected data  Hand-carrying:  When hand-carrying FOUO documents never leave the documents unattended  Ensure contents are properly covered (using AF IMT 3227, Privacy Act Cover Sheet) and or placed in an envelope to shield contents  Do not leave FOUO documents on a person’s desk, hand them to the recipient to ensure there is no unauthorized access  Using E-mail:  Use Common Access Card procedures  Announce in the opening line of text that you are relaying FOUO material Integrity - Service - Excellence 15
Storing Privacy Act Protected Data  Duty Hours  Cover or place documents in an out-of-sight location when those not authorized access enter the work space  Use filtering devices on computer screens to blacken the view  Lock computers when leaving – even for brief periods  After Duty Hours  If the building is locked or manned by security, place records in locked or unlocked drawer or cabinet  Special categories of Privacy Act protected data should be placed in locked receptacles  What are Some Special Categories of Privacy Act Data?  Investigative Files  Personnel Files  Security Clearance Files  Adverse Action Files  Any category that, if released, would embarrass or harm the subject Integrity - Service - Excellence 16
Disposing of Privacy Act Protected Data  Use any reasonable means that prevents inadvertent compromise!  A disposal method is considered adequate if it renders the information unrecognizable or beyond reconstruction  Disposal methods may include:  Tearing, burning, melting, chemical decomposition, pulping, pulverizing, shredding (GSA-approved shredder), and mutilation  Recycling contracts are acceptable, if the documents are properly protected while in a destruction bin, protected in transit, and one of the above destruction methods is used by the contractor Integrity - Service - Excellence 17
Sharing of Privacy Act Protected Data  Follow the “need-to-know” principle. Share only with those specific DoD employees who need the data to perform official, assigned duties  If the Privacy Act System Manager has granted you authority to make disclosures outside Department of Defense (DoD):  Share only with those individuals and entities outside DoD that are listed in the “Routine Use” clause of the governing Privacy Act System of Records Notice. Visit the following Web Site for DoD Privacy Act systems notices: http://www.defenselink.mil/privacy/notices/  If you have doubts about sharing data, consult with your supervisor, the Privacy Act system manager, or your local Privacy Act Officer Integrity - Service - Excellence 18
Information for Telecommuters  Paper Records:  Place Privacy Act protected data in locked drawers, locked briefcases, or other secure areas where family/household members, visitors, or intruders cannot access it  Electronic Records:  Use password protection protocols. Do not share your password  Do not store Privacy Act protected data on disks, CDs, USB flashdrives, memory sticks, flashcards, or other media without proper security protections or authorization  Do not use wireless computer technology without following the proper security protocols Integrity - Service - Excellence 19
Controlled Unclassified Information Types and References  For Official Use Only (FOUO):  FOUO is not a security classification. It is derived from the Freedom of Information Act, which prohibits the automatic release of information to the public. Use FOUO only when necessary. References: DoD 5200.1-R, Appendix 3, paragraph AP 3.2  Privacy Act  Requires agencies to publish descriptions of systems of records containing personal information. References: DoD 5400.11 and DoD 5400.11-R, DoD Privacy Program; and AFI 33-332, Privacy Act Program  Scientific & Technical Information (STINFO):  Information relating to research, development, engineering, testing, evaluation, production, operation, use, and maintenance for military products, services, etc. Reference: AFI 61-204, Disseminating Scientific & Technical Information Integrity - Service - Excellence 20
Controlled Unclassified Information Types and References (Cont’d.)  Export Control:  The U.S. Government controls exports of sensitive equipment, software, and technology as a means to promote our national security interests and foreign policy objectives. Reference: DoD Directive 5230.25, Withholding of Unclassified Technical Data From Public Disclosure  Unclassified Controlled Nuclear Information (UCNI):  Department of Energy (DOE) UCNI:  Unclassified facility design information, operational information concerning the production, processing or utilization of nuclear materials for atomic energy defense programs, safeguards and security, information, nuclear materials and declassified controlled nuclear weapon information previously classified as Restricted Data  Unclassified information about security measures (including security plans, procedures, and equipment) for the physical protection of DoD Special Nuclear Material, equipment, or facilities  Additional References are:  AFPD 31-4, Information Security, which mandates the policy for protecting sensitive Air Force information  AFI 31-401, Information Security Program Management, which prescribes and explains how to manage and protect unclassified controlled information and classified information Integrity - Service - Excellence 21

Recommended

10. law invest & ethics
10. law invest & ethics10. law invest & ethics
10. law invest & ethics7wounders
 
Privacy, Privilege And Confidentiality For Lawyers
Privacy, Privilege And Confidentiality For LawyersPrivacy, Privilege And Confidentiality For Lawyers
Privacy, Privilege And Confidentiality For Lawyerscanadianlawyer
 
Right to privacy on internet and Data Protection
Right to privacy on internet and Data ProtectionRight to privacy on internet and Data Protection
Right to privacy on internet and Data Protectionatuljaybhaye
 
Patient confidentiality training
Patient confidentiality trainingPatient confidentiality training
Patient confidentiality trainingwrightjr02
 
2010 Hipaa Rules 011310
2010 Hipaa Rules 0113102010 Hipaa Rules 011310
2010 Hipaa Rules 011310GuardEra Access Solutions, Inc.
 
Agency Systems
Agency SystemsAgency Systems
Agency SystemsHi Tech Criminal Justice
 
Texas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesTexas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesJim Brashear
 
Personal privacy and computer technologies
Personal privacy and computer technologiesPersonal privacy and computer technologies
Personal privacy and computer technologiessidra batool
 

Recommended

10. law invest & ethics
10. law invest & ethics10. law invest & ethics
10. law invest & ethics7wounders
 
Privacy, Privilege And Confidentiality For Lawyers
Privacy, Privilege And Confidentiality For LawyersPrivacy, Privilege And Confidentiality For Lawyers
Privacy, Privilege And Confidentiality For Lawyerscanadianlawyer
 
Right to privacy on internet and Data Protection
Right to privacy on internet and Data ProtectionRight to privacy on internet and Data Protection
Right to privacy on internet and Data Protectionatuljaybhaye
 
Patient confidentiality training
Patient confidentiality trainingPatient confidentiality training
Patient confidentiality trainingwrightjr02
 
2010 Hipaa Rules 011310
2010 Hipaa Rules 0113102010 Hipaa Rules 011310
2010 Hipaa Rules 011310GuardEra Access Solutions, Inc.
 
Agency Systems
Agency SystemsAgency Systems
Agency SystemsHi Tech Criminal Justice
 
Texas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesTexas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesJim Brashear
 
Personal privacy and computer technologies
Personal privacy and computer technologiesPersonal privacy and computer technologies
Personal privacy and computer technologiessidra batool
 
Privacy in simple
Privacy in simplePrivacy in simple
Privacy in simpleAurora Computer Studies
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Navigating Risk In Data & Technology Transactions
Navigating Risk In Data & Technology TransactionsNavigating Risk In Data & Technology Transactions
Navigating Risk In Data & Technology TransactionsMMMTechLaw
 
Revision Data Protection Act (Eduardo And Salvador)
Revision Data Protection Act (Eduardo And Salvador)Revision Data Protection Act (Eduardo And Salvador)
Revision Data Protection Act (Eduardo And Salvador)itgsabc
 
Data protection act
Data protection act Data protection act
Data protection act Iqbal Bocus
 
Regulatory compliance 2018
Regulatory compliance 2018Regulatory compliance 2018
Regulatory compliance 2018ProColombia
 
Privacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarPrivacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarLance Michalson
 
The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age - Mark - Fullbright
 
Right to privacy
Right to privacyRight to privacy
Right to privacySoundrya Singh
 
20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet Law20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet LawKlemchuk LLP
 
Privacy - USC 2005
Privacy - USC 2005Privacy - USC 2005
Privacy - USC 2005Internet Law Center
 
Data Privacy Micc Presentation
Data Privacy Micc PresentationData Privacy Micc Presentation
Data Privacy Micc Presentationashishjoshi
 
Talking about Privacy
Talking about PrivacyTalking about Privacy
Talking about Privacymbattagl
 
Cyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryCyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryHNI Risk Services
 
MBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance WhitepaperMBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance WhitepaperMBMeHealthCareSolutions
 
Legal aspects of IT security
Legal aspects of IT securityLegal aspects of IT security
Legal aspects of IT securityAdv Prashant Mali
 
Personal Data Protection Law
Personal Data Protection LawPersonal Data Protection Law
Personal Data Protection LawHatice Zümbül, LL.M.
 
Business Controls, Inc. Solutions
Business Controls, Inc. SolutionsBusiness Controls, Inc. Solutions
Business Controls, Inc. SolutionsBusiness Controls, Inc.
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!Now Dentons
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About PrivacyNow Dentons
 
4514611.ppt
4514611.ppt4514611.ppt
4514611.pptssusera4419c
 
Security and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPOSecurity and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPOAtlantic Training, LLC.
 

More Related Content

What's hot

Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Navigating Risk In Data & Technology Transactions
Navigating Risk In Data & Technology TransactionsNavigating Risk In Data & Technology Transactions
Navigating Risk In Data & Technology TransactionsMMMTechLaw
 
Revision Data Protection Act (Eduardo And Salvador)
Revision Data Protection Act (Eduardo And Salvador)Revision Data Protection Act (Eduardo And Salvador)
Revision Data Protection Act (Eduardo And Salvador)itgsabc
 
Data protection act
Data protection act Data protection act
Data protection act Iqbal Bocus
 
Regulatory compliance 2018
Regulatory compliance 2018Regulatory compliance 2018
Regulatory compliance 2018ProColombia
 
Privacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarPrivacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarLance Michalson
 
The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age - Mark - Fullbright
 
20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet Law20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet LawKlemchuk LLP
 
Data Privacy Micc Presentation
Data Privacy Micc PresentationData Privacy Micc Presentation
Data Privacy Micc Presentationashishjoshi
 
Talking about Privacy
Talking about PrivacyTalking about Privacy
Talking about Privacymbattagl
 
Cyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryCyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryHNI Risk Services
 
MBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance WhitepaperMBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance WhitepaperMBMeHealthCareSolutions
 
Legal aspects of IT security
Legal aspects of IT securityLegal aspects of IT security
Legal aspects of IT securityAdv Prashant Mali
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!Now Dentons
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About PrivacyNow Dentons
 

What's hot (20)

Privacy in simple
Privacy in simplePrivacy in simple
Privacy in simple
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Navigating Risk In Data & Technology Transactions
Navigating Risk In Data & Technology TransactionsNavigating Risk In Data & Technology Transactions
Navigating Risk In Data & Technology Transactions
 
Revision Data Protection Act (Eduardo And Salvador)
Revision Data Protection Act (Eduardo And Salvador)Revision Data Protection Act (Eduardo And Salvador)
Revision Data Protection Act (Eduardo And Salvador)
 
Data protection act
Data protection act Data protection act
Data protection act
 
Regulatory compliance 2018
Regulatory compliance 2018Regulatory compliance 2018
Regulatory compliance 2018
 
Privacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarPrivacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminar
 
The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age
 
Right to privacy
Right to privacyRight to privacy
Right to privacy
 
20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet Law20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet Law
 
Privacy - USC 2005
Privacy - USC 2005Privacy - USC 2005
Privacy - USC 2005
 
Data Privacy Micc Presentation
Data Privacy Micc PresentationData Privacy Micc Presentation
Data Privacy Micc Presentation
 
Talking about Privacy
Talking about PrivacyTalking about Privacy
Talking about Privacy
 
Cyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryCyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation Industry
 
MBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance WhitepaperMBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance Whitepaper
 
Legal aspects of IT security
Legal aspects of IT securityLegal aspects of IT security
Legal aspects of IT security
 
Personal Data Protection Law
Personal Data Protection LawPersonal Data Protection Law
Personal Data Protection Law
 
Business Controls, Inc. Solutions
Business Controls, Inc. SolutionsBusiness Controls, Inc. Solutions
Business Controls, Inc. Solutions
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About Privacy
 

Similar to Sec af pa slides

Security and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPOSecurity and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPOAtlantic Training, LLC.
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfJakeAldrinDegala1
 
Rimon - CLE on Cloud Lawyering for PAABA
Rimon - CLE on Cloud Lawyering for PAABARimon - CLE on Cloud Lawyering for PAABA
Rimon - CLE on Cloud Lawyering for PAABAYaacov Silberman
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Sagar Rahurkar
 
Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)Dan Michaluk
 
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyDo You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyButlerRubin
 
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...Vijay Dalmia
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacyimehreenx
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentDonald E. Hester
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Diana Maier
 
Implementing an Information Security Program
Implementing an Information Security ProgramImplementing an Information Security Program
Implementing an Information Security ProgramRaymond Cunningham
 
Lasa European NFP Technology Conference 2010 - Data protection and the cloud
Lasa European NFP Technology Conference 2010 - Data protection and the cloudLasa European NFP Technology Conference 2010 - Data protection and the cloud
Lasa European NFP Technology Conference 2010 - Data protection and the cloudukriders
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
Hr Wcu General Security Awareness Training Ed01
Hr Wcu General Security Awareness Training Ed01Hr Wcu General Security Awareness Training Ed01
Hr Wcu General Security Awareness Training Ed01Donna Koger
 
Dataprotectionactnew13 12-11-111213033116-phpapp02
Dataprotectionactnew13 12-11-111213033116-phpapp02Dataprotectionactnew13 12-11-111213033116-phpapp02
Dataprotectionactnew13 12-11-111213033116-phpapp02tinkusing
 

Similar to Sec af pa slides (20)

4514611.ppt
4514611.ppt4514611.ppt
4514611.ppt
 
Security and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPOSecurity and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPO
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
 
Rimon - CLE on Cloud Lawyering for PAABA
Rimon - CLE on Cloud Lawyering for PAABARimon - CLE on Cloud Lawyering for PAABA
Rimon - CLE on Cloud Lawyering for PAABA
 
Frankston
FrankstonFrankston
Frankston
 
POPI Seminar FINAL
POPI Seminar FINALPOPI Seminar FINAL
POPI Seminar FINAL
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000
 
Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)
 
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyDo You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
 
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacy
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
 
Cyber Risks
Cyber RisksCyber Risks
Cyber Risks
 
Implementing an Information Security Program
Implementing an Information Security ProgramImplementing an Information Security Program
Implementing an Information Security Program
 
Lasa European NFP Technology Conference 2010 - Data protection and the cloud
Lasa European NFP Technology Conference 2010 - Data protection and the cloudLasa European NFP Technology Conference 2010 - Data protection and the cloud
Lasa European NFP Technology Conference 2010 - Data protection and the cloud
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issues
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
 
Hr Wcu General Security Awareness Training Ed01
Hr Wcu General Security Awareness Training Ed01Hr Wcu General Security Awareness Training Ed01
Hr Wcu General Security Awareness Training Ed01
 
Dataprotectionactnew13 12-11-111213033116-phpapp02
Dataprotectionactnew13 12-11-111213033116-phpapp02Dataprotectionactnew13 12-11-111213033116-phpapp02
Dataprotectionactnew13 12-11-111213033116-phpapp02
 

Sec af pa slides

  • 1. Headquarters U.S. Air Force Integrity - Service - Excellence Safeguarding of Personally Identifying Information a.k.a. Privacy Act Data – It is Your Duty! Privacy Act Educational Awareness for all Air Force Employees – Military Members, Civilians, Air Force Reserve, Air National Guard, & Contractors
  • 2. Why You are Being Asked to Take this Educational Awareness Now…  In a number of recent incidents, personal data has been lost, stolen, or compromised  The Office of Management and Budget (OMB), the Federal entity responsible for overseeing the Privacy Act (PA), has mandated that the Federal workforce complete this educational awareness briefing  Because personal information is handled by a wide number of Air Force offices, it is imperative that all personnel understand and apply guidance on the proper handling of this sensitive information  To preclude YOU or a member of your staff from being the subject of an investigation Integrity - Service - Excellence 2
  • 3. Criminal Penalties for Noncompliance with the Privacy Act  For knowingly and willfully disclosing Privacy Act protected data to any person not entitled to access:  Misdemeanor criminal charge, and a fine of up to $5,000 per incident  For maintaining a System of Records without meeting the public notice requirements:  Misdemeanor criminal charge, and a fine of up to $5,000  For knowingly and willfully requesting or obtaining records under false pretenses:  Misdemeanor criminal charge, and a fine of up to $5,000 Integrity - Service - Excellence 3
  • 4. Civil Penalties for Noncompliance with the Privacy Act  The Privacy Act also imposes civil penalties on violators (normally the agency) who:  Unlawfully refuse to amend a record  Unlawfully refuse to grant access to records  Fail to maintain accurate, relevant, timely and complete data  Fail to comply with any Privacy Act provision or agency rule that results in an adverse effect  Penalties include:  Payment of actual damages  Payment of reasonable attorney’s fees  Removal from employment Integrity - Service - Excellence 4
  • 5. Safeguarding Requirements  Three Levels of Safeguards are Required:  Administrative  Physical  Technical  These individuals are responsible for establishing safeguards:  Information Technology System Designers  Privacy Act System Managers  Local Privacy Act Officials  And you (all Airman)… Remember: YOU are responsible for ensuring that safeguards are applied! Integrity - Service - Excellence 5
  • 6. If You Have Access to Personal Data...  Protect it at all times  Do not share it with anyone unless:  The recipient is listed in Section (b) of the Privacy Act  The subject of the record has given you written permission to disclose it to the recipient  Password protect personal data placed on shared drives, the Internet, or the Intranet  Monitor your actions: For example, “If I do this, will I increase the risk of unauthorized access?” Remember: You may be subject to civil and criminal penalties for violating the Privacy Act Integrity - Service - Excellence 6
  • 7. Tips for Avoiding Privacy Breaches…  Take privacy protection seriously  Respect the privacy of others  Report to your supervisor or other management official when you see personal data left unattended  Know the Privacy Act requirements. Refer to the following governing publications for additional guidance: AFI 33-332, Privacy Act Program, which implements DoDD 5400.11, DoD Privacy Program; and DoD 5400.11-R, DoD Privacy Program  Also, visit the following Web Sites: http://www.dtic.mil/whs/directives/corres/html/540011.htm http://www.foia.af.mil/Privacy Integrity - Service - Excellence 7
  • 8. Reporting Inappropriate Disclosures  Immediately notify:  Your supervisor  Your local Privacy Act Officer  The Privacy Act System Manager  And any other appropriate official of the occurrence  For World Wide Web postings - make a note of where the information was posted by copying the Uniform Resource Locator (URL)  The URL is the address listed at the top of the screen. Most URLs begin http://www Integrity - Service - Excellence 8
  • 9. Air Force Freedom of Information Act (FOIA) and Privacy Act (PA) Points of Contact  For additional information, inquiries, and or questions, you may contact your base, MAJCOM, FOA, or DRU FOIA/PA Manager identified on the attached FOIA/PA listing Integrity - Service - Excellence 9
  • 10. Thank you for completing this important educational awareness briefing! …there is more Privacy Act related information found in the back-up slides… Such as: purposes of The Privacy Act of 1974, key Privacy Act terminology, marking Privacy Act protected data, information on transporting Privacy Act protected data, storing Privacy Act protected data, disposing of Privacy Act protected data, sharing of Privacy Act protected data, information for telecommuters, and controlled unclassified information types and references Integrity - Service - Excellence 10
  • 11. Headquarters U. S. Air Force Safeguarding of Personally Identifying Information a.k.a. Privacy Act Data – It is Your Duty! Back-up Slides Integrity - Service - Excellence 11
  • 12. The Privacy Act of 1974  The Privacy Act of 1974 is intended to balance the Government’s need for information against the individual’s right to privacy. Among it purposes, the Privacy Act of 1974 is intended to:  Give individuals access to records kept on them  Allow individuals to correct errors in those records  Limit information that is collected to what is relevant and necessary  Restrict access to personal information by third parties— that is, to protect the privacy interests of the subject from any other person, with some exceptions  To provide remedies for non-compliance with the Privacy Act of 1974 Integrity - Service - Excellence 12
  • 13. Key Privacy Act Terminology  The following are key terms used in Privacy Act discussions:  Record: Any item or collection of information about an individual which is maintained by an agency and which contains that person’s name or other identifying particulars  System of Records: A group of records under the control of an agency from which information is (not can be) retrieved by name of the individual or by some personal identifier  Personal Information: The types of information protected by the Privacy Act of 1974—distinguish from “official information” which is generally not protected  Examples of “personal information” are: Social Security number, martial status, number and sex of dependents, home of record, age and date of birth, home address, and telephone number  Examples of “official information” are: Name, military rank and date of rank, pay and special pay, military awards and decorations, and current assignment Integrity - Service - Excellence 13
  • 14. Marking Privacy Act Protected Data  Privacy Act protected data are to be handled as “For Official Use Only” (FOUO), see DoD 5200.1-R, Information Security Program, Appendix 3, located at this Web Site: http://www.dtic.mil/whs/directives/corres/html/52001r.htm  Mark Privacy Act protected data with a handling notice when it is created or received:  “For Official Use Only – Privacy Act of 1974”  “For Official Use Only – Privacy Act Protected Data”  Place the FOUO marks at the top or bottom of each page or screen. Classified records are marked on both the top and bottom of the page as well as at each paragraph  Before disseminating Privacy Act protected data, make sure it carries the FOUO handling notice Integrity - Service - Excellence 14
  • 15. Transporting Privacy Act Protected Data  Using Ground Mail:  Use brown or white envelopes to mail documents  Never use “holey joes” or messenger-type envelopes  You may double wrap the documents using an inner and outer envelope, if you deem it appropriate  Mark the envelope to the attention of an authorized recipient  Never indicate on the outer envelope that the contents contain Privacy Act protected data  Hand-carrying:  When hand-carrying FOUO documents never leave the documents unattended  Ensure contents are properly covered (using AF IMT 3227, Privacy Act Cover Sheet) and or placed in an envelope to shield contents  Do not leave FOUO documents on a person’s desk, hand them to the recipient to ensure there is no unauthorized access  Using E-mail:  Use Common Access Card procedures  Announce in the opening line of text that you are relaying FOUO material Integrity - Service - Excellence 15
  • 16. Storing Privacy Act Protected Data  Duty Hours  Cover or place documents in an out-of-sight location when those not authorized access enter the work space  Use filtering devices on computer screens to blacken the view  Lock computers when leaving – even for brief periods  After Duty Hours  If the building is locked or manned by security, place records in locked or unlocked drawer or cabinet  Special categories of Privacy Act protected data should be placed in locked receptacles  What are Some Special Categories of Privacy Act Data?  Investigative Files  Personnel Files  Security Clearance Files  Adverse Action Files  Any category that, if released, would embarrass or harm the subject Integrity - Service - Excellence 16
  • 17. Disposing of Privacy Act Protected Data  Use any reasonable means that prevents inadvertent compromise!  A disposal method is considered adequate if it renders the information unrecognizable or beyond reconstruction  Disposal methods may include:  Tearing, burning, melting, chemical decomposition, pulping, pulverizing, shredding (GSA-approved shredder), and mutilation  Recycling contracts are acceptable, if the documents are properly protected while in a destruction bin, protected in transit, and one of the above destruction methods is used by the contractor Integrity - Service - Excellence 17
  • 18. Sharing of Privacy Act Protected Data  Follow the “need-to-know” principle. Share only with those specific DoD employees who need the data to perform official, assigned duties  If the Privacy Act System Manager has granted you authority to make disclosures outside Department of Defense (DoD):  Share only with those individuals and entities outside DoD that are listed in the “Routine Use” clause of the governing Privacy Act System of Records Notice. Visit the following Web Site for DoD Privacy Act systems notices: http://www.defenselink.mil/privacy/notices/  If you have doubts about sharing data, consult with your supervisor, the Privacy Act system manager, or your local Privacy Act Officer Integrity - Service - Excellence 18
  • 19. Information for Telecommuters  Paper Records:  Place Privacy Act protected data in locked drawers, locked briefcases, or other secure areas where family/household members, visitors, or intruders cannot access it  Electronic Records:  Use password protection protocols. Do not share your password  Do not store Privacy Act protected data on disks, CDs, USB flashdrives, memory sticks, flashcards, or other media without proper security protections or authorization  Do not use wireless computer technology without following the proper security protocols Integrity - Service - Excellence 19
  • 20. Controlled Unclassified Information Types and References  For Official Use Only (FOUO):  FOUO is not a security classification. It is derived from the Freedom of Information Act, which prohibits the automatic release of information to the public. Use FOUO only when necessary. References: DoD 5200.1-R, Appendix 3, paragraph AP 3.2  Privacy Act  Requires agencies to publish descriptions of systems of records containing personal information. References: DoD 5400.11 and DoD 5400.11-R, DoD Privacy Program; and AFI 33-332, Privacy Act Program  Scientific & Technical Information (STINFO):  Information relating to research, development, engineering, testing, evaluation, production, operation, use, and maintenance for military products, services, etc. Reference: AFI 61-204, Disseminating Scientific & Technical Information Integrity - Service - Excellence 20
  • 21. Controlled Unclassified Information Types and References (Cont’d.)  Export Control:  The U.S. Government controls exports of sensitive equipment, software, and technology as a means to promote our national security interests and foreign policy objectives. Reference: DoD Directive 5230.25, Withholding of Unclassified Technical Data From Public Disclosure  Unclassified Controlled Nuclear Information (UCNI):  Department of Energy (DOE) UCNI:  Unclassified facility design information, operational information concerning the production, processing or utilization of nuclear materials for atomic energy defense programs, safeguards and security, information, nuclear materials and declassified controlled nuclear weapon information previously classified as Restricted Data  Unclassified information about security measures (including security plans, procedures, and equipment) for the physical protection of DoD Special Nuclear Material, equipment, or facilities  Additional References are:  AFPD 31-4, Information Security, which mandates the policy for protecting sensitive Air Force information  AFI 31-401, Information Security Program Management, which prescribes and explains how to manage and protect unclassified controlled information and classified information Integrity - Service - Excellence 21