U.S. Federal Privacy Protection: An Overview (Concepts and History of the Federal Privacy Framework) is a training presentation that provides:
1) an overview/review of the foundations of privacy and privacy protection in the United States.
2) a historical overivew of privacy events and guidance in chronological format that shows four separate timelines side by side, to help provide a frame of reference to the issuance of privacy guidance by showing the “Privacy Events” and then providing information about the Advancement of IT Technology, “Hacking Events”, and in addition, provides some of the current events that taking place.
3) A visual representation of federal laws, requirements, or guidance and the relationships created byt the various laws.
This document outlines a presentation on legal aspects of health informatics. It discusses various topics like different legal systems, sources of law, privacy laws including HIPAA and Thailand's health information privacy law. It provides an overview of basics of legal systems including civil law and common law. It also summarizes key aspects of privacy rules under HIPAA such as protected health information, permitted uses and disclosures of PHI, responsibilities of covered entities, and HIPAA's impact on research.
The document discusses data protection and the General Data Protection Regulation (GDPR) which takes effect in May 2018. It provides an overview of key aspects of the GDPR including its scope, definitions of personal and special categories of data, the grounds for processing each type of data, and the six data protection principles of the GDPR around lawful and fair processing, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. Organizations are advised to review their data protection practices to ensure compliance with the GDPR.
This document provides an introduction to information governance training. It covers key topics like confidentiality, data protection, freedom of information, record keeping, and information security. Regarding confidentiality, it discusses the duty of confidence healthcare workers have toward patient information and the Caldicott principles for justified use of confidential data. It also introduces scenarios to illustrate proper and improper handling of personal information.
This document provides an overview of key concepts related to health information law and governance. It defines different types of law, the role of law in healthcare and health information, and protections for health data under HIPAA. The document also distinguishes between different types of health records and ownership versus custodianship of records. It emphasizes the importance of privacy, confidentiality and security of health information, as well as the role of information stewardship and governance.
Slides dr farah jameel's gdpr presentation april 2018amirhannan
The document provides an introduction to the General Data Protection Regulation (GDPR) for general practitioners in the UK. It summarizes the key aspects of GDPR, including the new rights it provides individuals over their personal data, such as rights to access, rectify, and erase personal data. It outlines the lawful bases for processing personal data and special categories of health data. It also discusses the requirements under GDPR for responsibilities, documentation, security, and appointments of Data Protection Officers.
This document defines key terms from the Kenya Data Protection Act of 2019 in order to help achieve compliance. It explains personal data, data subjects, processing, data controllers, data processors, personal data breaches, lawful basis, individual rights, sensitive personal data, the Office of Data Protection Commissioner, registration requirements, and the role of the Data Protection Officer. The overall goal is to lay out the steps needed to comply with the Data Protection Act of 2019, which regulates the processing of personal data and provides rights and obligations related to data protection in Kenya.
General Data Protection Regulation or GDPRNupur Samaddar
General Data Protection Regulation or GDPR,he way companies across the world will handle their customers' personal information and creating strengthened and unified data protection for all individuals within the EU.
The document provides an overview of key aspects of data protection and GDPR compliance, including:
- Definitions of key terms like personal data, data subject, and processor.
- The legal bases for processing different types of personal data and the additional protections for special categories of data.
- Steps in the "data lifecycle" including collection, storage, usage, sharing, and disposal of personal data.
- Examples of common types of personal data and requirements for demonstrating compliance through policies and procedures for areas like privacy notices, data breaches, and data subject access requests.
This document outlines a presentation on legal aspects of health informatics. It discusses various topics like different legal systems, sources of law, privacy laws including HIPAA and Thailand's health information privacy law. It provides an overview of basics of legal systems including civil law and common law. It also summarizes key aspects of privacy rules under HIPAA such as protected health information, permitted uses and disclosures of PHI, responsibilities of covered entities, and HIPAA's impact on research.
The document discusses data protection and the General Data Protection Regulation (GDPR) which takes effect in May 2018. It provides an overview of key aspects of the GDPR including its scope, definitions of personal and special categories of data, the grounds for processing each type of data, and the six data protection principles of the GDPR around lawful and fair processing, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. Organizations are advised to review their data protection practices to ensure compliance with the GDPR.
This document provides an introduction to information governance training. It covers key topics like confidentiality, data protection, freedom of information, record keeping, and information security. Regarding confidentiality, it discusses the duty of confidence healthcare workers have toward patient information and the Caldicott principles for justified use of confidential data. It also introduces scenarios to illustrate proper and improper handling of personal information.
This document provides an overview of key concepts related to health information law and governance. It defines different types of law, the role of law in healthcare and health information, and protections for health data under HIPAA. The document also distinguishes between different types of health records and ownership versus custodianship of records. It emphasizes the importance of privacy, confidentiality and security of health information, as well as the role of information stewardship and governance.
Slides dr farah jameel's gdpr presentation april 2018amirhannan
The document provides an introduction to the General Data Protection Regulation (GDPR) for general practitioners in the UK. It summarizes the key aspects of GDPR, including the new rights it provides individuals over their personal data, such as rights to access, rectify, and erase personal data. It outlines the lawful bases for processing personal data and special categories of health data. It also discusses the requirements under GDPR for responsibilities, documentation, security, and appointments of Data Protection Officers.
This document defines key terms from the Kenya Data Protection Act of 2019 in order to help achieve compliance. It explains personal data, data subjects, processing, data controllers, data processors, personal data breaches, lawful basis, individual rights, sensitive personal data, the Office of Data Protection Commissioner, registration requirements, and the role of the Data Protection Officer. The overall goal is to lay out the steps needed to comply with the Data Protection Act of 2019, which regulates the processing of personal data and provides rights and obligations related to data protection in Kenya.
General Data Protection Regulation or GDPRNupur Samaddar
General Data Protection Regulation or GDPR,he way companies across the world will handle their customers' personal information and creating strengthened and unified data protection for all individuals within the EU.
The document provides an overview of key aspects of data protection and GDPR compliance, including:
- Definitions of key terms like personal data, data subject, and processor.
- The legal bases for processing different types of personal data and the additional protections for special categories of data.
- Steps in the "data lifecycle" including collection, storage, usage, sharing, and disposal of personal data.
- Examples of common types of personal data and requirements for demonstrating compliance through policies and procedures for areas like privacy notices, data breaches, and data subject access requests.
The document discusses a group project for an HCS/455 class where students were asked to research and summarize a health care policy. The group selected HIPAA as their policy and provided details on its history, purpose, and impact. They noted that HIPAA was established in 1996 to protect patients' private health information and allow continuity of health insurance coverage between jobs. It set national standards for safeguarding sensitive patient information and established penalties for non-compliance. The policy is aimed at and impacts health care consumers, medical staff, insurers, and government agencies who oversee its implementation.
This unit covers gathering, assessing, and presenting data and information. It discusses collecting data confidentially, including personal and privileged information. A data subject has rights to be informed of how their information is collected and used. Maintaining confidentiality is important, such as keeping files password protected, anonymizing data if possible, and informing participants how their information will be stored and accessed. The learner will apply these concepts by considering possible confidentiality challenges in research topics and how to ensure privacy.
Data Privacy and consent management .. .ClinosolIndia
Data privacy and consent management are critical aspects of ensuring that individuals' personal information is handled responsibly and ethically, particularly in healthcare settings where sensitive medical data is involved. Data privacy refers to the protection of personal information from unauthorized access, use, or disclosure, while consent management involves obtaining and managing individuals' permissions for the collection, storage, and processing of their data.
In healthcare, patients entrust providers with their sensitive medical information, expecting that it will be kept confidential and used only for legitimate purposes related to their care. Robust data privacy measures include encryption, access controls, and anonymization techniques to safeguard patient data from unauthorized access or breaches. Additionally, healthcare organizations must adhere to regulatory standards such as HIPAA in the United States or GDPR in the European Union, which outline specific requirements for the protection of patient information and impose penalties for non-compliance.
Consent management plays a crucial role in ensuring that individuals have control over how their data is used. Patients should be informed about the purposes for which their data will be collected and processed, as well as any potential risks or benefits associated with its use. Obtaining informed consent involves providing individuals with clear and transparent information about their privacy rights and giving them the opportunity to consent to or decline the use of their data for specific purposes. Consent management systems help healthcare organizations track and manage patients' consent preferences, ensuring that data is used in accordance with their wishes and legal requirements.
Effective data privacy and consent management practices not only protect individuals' privacy rights but also foster trust and transparency in healthcare relationships. By implementing robust security measures, respecting patients' autonomy, and promoting informed decision-making, healthcare organizations can uphold the principles of data privacy and consent while leveraging data responsibly to improve patient care and outcomes.
Panel Presentation: Privacy Impact Assessments (PIA)
Coordinators of an upcoming conference, attended by federal government IT managers and staff, invited you to participate in a panel presentation about privacy. For this activity, prepare a 5 to 7 paragraph briefing statement which answers the following four questions. Use information from the weekly readings as your research material. Go to Content >> Course Resources >> Expanded Explanation for Discussion Question Responses to learn more about the format requirements for a "briefing statement."
Definitions:
Privacy
has many definitions. When examining data protection and privacy laws and practices, it can be helpful to focus on four categories or classes of privacy.
Information privacy
is concerned with establishing rules that govern the collection and handling of personal information. Examples include financial information, medical information, government records and records of a person’s activities on the Internet.
Bodily privacy
focuses on a person’s physical being and any invasion thereof. Such an invasion can take the form of genetic testing, drug testing or body cavity searches. It also encompasses issues such as birth control, abortion, and adoption.
Territorial privacy
is concerned with placing limits on the ability to intrude into another individual’s environment. “Environment” can include the home, workplace, or public space. Invasion into an individual’s territorial privacy typically takes the form of monitoring such as video surveillance, ID checks, and use of similar technology and procedures.
Communications privacy
encompasses protection of the means of correspondence, including postal mail, telephone conversations, email, and other forms of communicative behavior and apparatus.
Privacy Impact Assessment (PIA)
: A PIA is both a process and a document. It is a process that focuses upon identifying and assessing risks related to privacy of data handled by a specific IT system or database. It is a process that communicates the results of the PIA process to stakeholders. Released PIAs are either fully available to the public, while redaction removes sensitive/non-public information in other PIAs
.
When responding to this discussion, prepare a 5 to 7 paragraph briefing statement which answers the following four questions:
1. What is
privacy?
Is it a right? An expectation? Discuss differing definitions, e.g. "the average person" definition vs. a legal definition, and how these differences impact risk assessments for privacy protections (or the lack thereof).
2. What are some important best practices for protecting privacy for information collected, stored, used, and transferred by the US federal government? Identify and discuss three or more best practice recommendations for reducing risk by improving or ensuring the privacy of information processed by or stored in an organization’s IT systems and databases.
3. Explain why federal government agencies and departme.
Social media is becoming more important in the healthcare field. But, there are legal implications to using social media tools of which those in the industry should be aware.
Speakers:
Tatiana Melnik, JD
Associate Attorney, Dickinson Wright PLLC
Brian Balow, JD
Member, Dickinson Wright PLLC
Health Insurance Portability and Accountability Act of 1996.docxAlesandriaPablo
This document summarizes key elements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, including who is covered, what information is protected, and how protected health information can be used and disclosed. It explains that the Privacy Rule establishes national standards to protect patients' sensitive health information and is administered by the Department of Health and Human Services. The Privacy Rule covers health plans, health care providers, health care clearinghouses, and their business associates and protects individuals' personal health information. It allows covered entities to use and disclose this information for treatment, payment, and health care operations under certain circumstances.
Theera-Ampornpunt N. Health information privacy: Asia's viewpoint. Presented at: Globalizing Asia: Health Law, Governance, and Policy - Issues, Approaches, and Gaps!; 2012 Apr 16-18; Bangkok, Thailand.
Critique a Criminal Justice Policy at the Federal or State LevelMargenePurnell14
Critique a Criminal Justice Policy at the Federal or State Level
Instructions
Critique a criminal justice policy used at the federal or state level that has notably been determined as failing to meet its objectives for improvement after an implementation plan was carried out to support that policy.
For this assignment, you will reflect on what you have learned this week and will develop a 3-page memo to explain and summarize why a criminal justice policy failed to meet its strategic goals. The purpose here is to become familiar with the parts of a criminal justice policy and to learn how the implementation of a new criminal justice policy using a strategic plan led to its failure so you can evaluate how to avoid such mistakes in your planning efforts.
Be sure to incorporate the following into a memo:
• Provide reasoning about the purpose of the criminal justice policy and how it was implemented.
• Discuss the basis for the plan's failure and what resources were used to carry out the implementation of that plan.
Length: 3-page memo
References: Include a minimum of 5 scholarly resources.
The completed assignment should address all the assignment requirements, exhibit evidence of concept knowledge, and demonstrate thoughtful consideration of the content presented in the course. The writing should integrate scholarly resources, reflect academic expectations, and current APA standards, and adhere to the Northcentral University's Academic Integrity Policy.
207
Health Information Ownership: Legal
Theories and Policy Implications
Lara Cartwright-Smith, Elizabeth Gray, and Jane Hyatt Thorpe*
ABSTRACT
This Article explores the nature and characteristics of health
information that make it subject to federal and state laws and the existing
legal framework that confers rights and responsibilities with respect to
health information. There are numerous legal and policy considerations
surrounding the question of who owns health information, including
whether and how to confer specific ownership rights to health
information. Ultimately, a legal framework is needed that reflects the
rights of a broad group of stakeholders in the health information
marketplace, from patients to providers to payers, as well as the public’s
interest in appropriate sharing of health information.
TABLE OF CONTENTS
I. INTRODUCTION .................................................................... 208
II. THE UNIQUE NATURE OF HEALTH INFORMATION ................ 209
A. Definitions of Health Information .................................. 210
1. Health Information Characteristics .................... 210
2. Health Information Types ................................... 212
III. THE LEGAL AND POLICY LANDSCAPE FOR HEALTH
INFORMATION ...................................................................... 214
IV. LEGAL THEORIES OF INFORMATION OWNERSHIP ................. 219
A. Property law ................. ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Jan Carroza
Retailers are liable for identity theft and can be subject to fines and criminal prosecution for breach. What consumer information is considered Personally Identifiable Information (PII)? What laws should retailers be aware of? What are the 6 General Mandates that affect every retailer? What can merchants do to secure their electronic payments systems and procedures?
This document discusses key privacy and data security questions that in-house counsel should address. It covers the current regulatory environment, including the GDPR, CCPA, and Ohio Data Protection Act. It defines important concepts like personal data and data subject rights. It also outlines enforcement mechanisms and penalties for noncompliance, such as fines under the GDPR and private rights of action under the CCPA. In-house counsel are encouraged to understand their company's risks and compliance, have strategies for responding to incidents, and potentially form a privacy or data security committee.
A general talk on privacy in early 2009, with quite a few slides summarizing the US National Research Council\'s report "Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment" that was issued in late 2008
Information control and privacy are important for allowing people to maintain control over their lives and protect themselves from harm. Information control refers to managing information flows, while privacy is the right to control how personal data is collected and shared. There are various technical and policy methods for controlling information and protecting privacy, such as encryption, access controls, and data minimization. However, digital data collection and security threats pose ongoing challenges to privacy. Individual awareness and vigilance over personal data sharing are important for maintaining privacy and security.
Information control and privacy are important for allowing people to maintain control over their lives and protect themselves from harm. Information control refers to managing information flows, while privacy is the right to control how personal data is collected and shared. There are various technical and policy methods for controlling information and protecting privacy, such as encryption, access controls, and data minimization. However, digital data collection and security threats pose ongoing challenges to privacy. Individual awareness and vigilance over personal data sharing are important for maintaining privacy and security.
I’m attaching some info on the agency I work for. I work remot.docxdonnajames55
I’m attaching some info on the agency I work for. I work remotely at New Heights Middle School in Jefferson SC as a behavioral health counselor. I have a LMSW; I provide counseling services to kids from age 12-14. I was drawn to this agency due to my desire to work with kids. My prior job was at palmetto pee dee behavioral health. The kids there had mostly conduct disorders. At CareSouth I can focus a lot on actual counseling and less case management. They also pay for ceus and provide clinical supervision. My self-care that I practice is just doing something nice for myself once a week. Because sometimes you give so much of yourself to others you will forget about you.
State Laws Protecting Citizen Information and
Breach Notification Laws
ISOL633 - Legal Regulations,
Compliance, and Investigation
Learning Objective
Describe state legal compliance laws addressing public and private institutions.
Key Concepts
State regulation of privacy and information security
State data breach notification
State encryption regulations
State data disposal regulations
History of state privacy protection laws
DISCOVER: CONCEPTS
California Notification Law
California Database Security Breach Notification Act
First breach notification law
Enacted on July 1, 2003
Purpose to give California residents timely information to protect themselves
Serves as model for other states
California Notification Law
Anyone who owns or uses computerized data containing unencrypted personal information
Anyone who owns or uses computerized data containing unencrypted personal information
7/1/2018
6
Who Must Comply?
State agencies
Private organiza-tions
Business
Any entity storing info on California residents
Nonprofit organiza-tions
Data Breach Notification Laws
Requirements to inform customers of a data breach
Civil and/or criminal penalties for failure to disclose
Private right of action
Exemptions from reporting
DISCOVER: PROCESS
Personal Information - Defined
The general definition of “personal Information” is:
Both the Individual’s first name/initial and last name
And one or more of
Social Security Number
Driver’s License / State ID Number
Financial Account/Credit/Debit number AND the PIN/code/password to access it
Does not include publicly available information legally obtainable by general public from governmental records.
Check out this PDF from Baker & Hostetler, LLP for a nice chart documenting where personal information is wider than the general definition.
Breach Notification Decision Making
If breach occurred or may have occurred and
Computer system contains personal information
Personal information was encrypted
No notification required
Breach Notification Decision Making
If breach occurred or may have occurred and
Computer system contains personal information
Personal information was not encrypted
Individuals must receive notice of security breach
DISCOVER: ROLES
Roles
Chief Infor.
This document provides an overview of data privacy for governmental organizations. It discusses what data privacy is, the risks associated with it such as identity theft, and common laws around data privacy including California state laws. It recommends that organizations take an inventory of their data, develop privacy policies and training, and ensure proper system monitoring and controls. The document emphasizes being proactive on data privacy issues.
This document discusses a "nightmare letter" that organizations could receive from customers requesting details on how their personal information is collected and protected. The letter requests information on what data the organization has on the customer, how it is used and shared, details of any past data breaches or security incidents, security and privacy policies and practices, and technologies used to protect information. It is presented as a tool for organizations to test their ability to respond to access requests and identify privacy issues. The document also discusses Symantec solutions that can help organizations address the types of concerns raised in the letter.
Join us and learn where your organization may have security gaps or be out of state or federal compliance. In this seminar, we will discover how a combination of good policies and the implementation of good, solid solutions can help you meet compliance requirements, and protect and secure your organization or business.
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
There is no federal law governing privacy and data security applicable to all US citizens. Rather, individual states and regulatory agencies have created a patchwork of protections that may overlap in certain industries.
This webinar provides an overview of the many privacy and data security laws and regulations which may impact your business, from the state law protecting personal information to regulations covering the financial services industry to state breach notification laws.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-2020/
More Related Content
Similar to U.S. Federal Privacy Protection: An Overview (Concepts and History of the Federal Privacy Framework)
The document discusses a group project for an HCS/455 class where students were asked to research and summarize a health care policy. The group selected HIPAA as their policy and provided details on its history, purpose, and impact. They noted that HIPAA was established in 1996 to protect patients' private health information and allow continuity of health insurance coverage between jobs. It set national standards for safeguarding sensitive patient information and established penalties for non-compliance. The policy is aimed at and impacts health care consumers, medical staff, insurers, and government agencies who oversee its implementation.
This unit covers gathering, assessing, and presenting data and information. It discusses collecting data confidentially, including personal and privileged information. A data subject has rights to be informed of how their information is collected and used. Maintaining confidentiality is important, such as keeping files password protected, anonymizing data if possible, and informing participants how their information will be stored and accessed. The learner will apply these concepts by considering possible confidentiality challenges in research topics and how to ensure privacy.
Data Privacy and consent management .. .ClinosolIndia
Data privacy and consent management are critical aspects of ensuring that individuals' personal information is handled responsibly and ethically, particularly in healthcare settings where sensitive medical data is involved. Data privacy refers to the protection of personal information from unauthorized access, use, or disclosure, while consent management involves obtaining and managing individuals' permissions for the collection, storage, and processing of their data.
In healthcare, patients entrust providers with their sensitive medical information, expecting that it will be kept confidential and used only for legitimate purposes related to their care. Robust data privacy measures include encryption, access controls, and anonymization techniques to safeguard patient data from unauthorized access or breaches. Additionally, healthcare organizations must adhere to regulatory standards such as HIPAA in the United States or GDPR in the European Union, which outline specific requirements for the protection of patient information and impose penalties for non-compliance.
Consent management plays a crucial role in ensuring that individuals have control over how their data is used. Patients should be informed about the purposes for which their data will be collected and processed, as well as any potential risks or benefits associated with its use. Obtaining informed consent involves providing individuals with clear and transparent information about their privacy rights and giving them the opportunity to consent to or decline the use of their data for specific purposes. Consent management systems help healthcare organizations track and manage patients' consent preferences, ensuring that data is used in accordance with their wishes and legal requirements.
Effective data privacy and consent management practices not only protect individuals' privacy rights but also foster trust and transparency in healthcare relationships. By implementing robust security measures, respecting patients' autonomy, and promoting informed decision-making, healthcare organizations can uphold the principles of data privacy and consent while leveraging data responsibly to improve patient care and outcomes.
Panel Presentation: Privacy Impact Assessments (PIA)
Coordinators of an upcoming conference, attended by federal government IT managers and staff, invited you to participate in a panel presentation about privacy. For this activity, prepare a 5 to 7 paragraph briefing statement which answers the following four questions. Use information from the weekly readings as your research material. Go to Content >> Course Resources >> Expanded Explanation for Discussion Question Responses to learn more about the format requirements for a "briefing statement."
Definitions:
Privacy
has many definitions. When examining data protection and privacy laws and practices, it can be helpful to focus on four categories or classes of privacy.
Information privacy
is concerned with establishing rules that govern the collection and handling of personal information. Examples include financial information, medical information, government records and records of a person’s activities on the Internet.
Bodily privacy
focuses on a person’s physical being and any invasion thereof. Such an invasion can take the form of genetic testing, drug testing or body cavity searches. It also encompasses issues such as birth control, abortion, and adoption.
Territorial privacy
is concerned with placing limits on the ability to intrude into another individual’s environment. “Environment” can include the home, workplace, or public space. Invasion into an individual’s territorial privacy typically takes the form of monitoring such as video surveillance, ID checks, and use of similar technology and procedures.
Communications privacy
encompasses protection of the means of correspondence, including postal mail, telephone conversations, email, and other forms of communicative behavior and apparatus.
Privacy Impact Assessment (PIA)
: A PIA is both a process and a document. It is a process that focuses upon identifying and assessing risks related to privacy of data handled by a specific IT system or database. It is a process that communicates the results of the PIA process to stakeholders. Released PIAs are either fully available to the public, while redaction removes sensitive/non-public information in other PIAs
.
When responding to this discussion, prepare a 5 to 7 paragraph briefing statement which answers the following four questions:
1. What is
privacy?
Is it a right? An expectation? Discuss differing definitions, e.g. "the average person" definition vs. a legal definition, and how these differences impact risk assessments for privacy protections (or the lack thereof).
2. What are some important best practices for protecting privacy for information collected, stored, used, and transferred by the US federal government? Identify and discuss three or more best practice recommendations for reducing risk by improving or ensuring the privacy of information processed by or stored in an organization’s IT systems and databases.
3. Explain why federal government agencies and departme.
Social media is becoming more important in the healthcare field. But, there are legal implications to using social media tools of which those in the industry should be aware.
Speakers:
Tatiana Melnik, JD
Associate Attorney, Dickinson Wright PLLC
Brian Balow, JD
Member, Dickinson Wright PLLC
Health Insurance Portability and Accountability Act of 1996.docxAlesandriaPablo
This document summarizes key elements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, including who is covered, what information is protected, and how protected health information can be used and disclosed. It explains that the Privacy Rule establishes national standards to protect patients' sensitive health information and is administered by the Department of Health and Human Services. The Privacy Rule covers health plans, health care providers, health care clearinghouses, and their business associates and protects individuals' personal health information. It allows covered entities to use and disclose this information for treatment, payment, and health care operations under certain circumstances.
Theera-Ampornpunt N. Health information privacy: Asia's viewpoint. Presented at: Globalizing Asia: Health Law, Governance, and Policy - Issues, Approaches, and Gaps!; 2012 Apr 16-18; Bangkok, Thailand.
Critique a Criminal Justice Policy at the Federal or State LevelMargenePurnell14
Critique a Criminal Justice Policy at the Federal or State Level
Instructions
Critique a criminal justice policy used at the federal or state level that has notably been determined as failing to meet its objectives for improvement after an implementation plan was carried out to support that policy.
For this assignment, you will reflect on what you have learned this week and will develop a 3-page memo to explain and summarize why a criminal justice policy failed to meet its strategic goals. The purpose here is to become familiar with the parts of a criminal justice policy and to learn how the implementation of a new criminal justice policy using a strategic plan led to its failure so you can evaluate how to avoid such mistakes in your planning efforts.
Be sure to incorporate the following into a memo:
• Provide reasoning about the purpose of the criminal justice policy and how it was implemented.
• Discuss the basis for the plan's failure and what resources were used to carry out the implementation of that plan.
Length: 3-page memo
References: Include a minimum of 5 scholarly resources.
The completed assignment should address all the assignment requirements, exhibit evidence of concept knowledge, and demonstrate thoughtful consideration of the content presented in the course. The writing should integrate scholarly resources, reflect academic expectations, and current APA standards, and adhere to the Northcentral University's Academic Integrity Policy.
207
Health Information Ownership: Legal
Theories and Policy Implications
Lara Cartwright-Smith, Elizabeth Gray, and Jane Hyatt Thorpe*
ABSTRACT
This Article explores the nature and characteristics of health
information that make it subject to federal and state laws and the existing
legal framework that confers rights and responsibilities with respect to
health information. There are numerous legal and policy considerations
surrounding the question of who owns health information, including
whether and how to confer specific ownership rights to health
information. Ultimately, a legal framework is needed that reflects the
rights of a broad group of stakeholders in the health information
marketplace, from patients to providers to payers, as well as the public’s
interest in appropriate sharing of health information.
TABLE OF CONTENTS
I. INTRODUCTION .................................................................... 208
II. THE UNIQUE NATURE OF HEALTH INFORMATION ................ 209
A. Definitions of Health Information .................................. 210
1. Health Information Characteristics .................... 210
2. Health Information Types ................................... 212
III. THE LEGAL AND POLICY LANDSCAPE FOR HEALTH
INFORMATION ...................................................................... 214
IV. LEGAL THEORIES OF INFORMATION OWNERSHIP ................. 219
A. Property law ................. ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Jan Carroza
Retailers are liable for identity theft and can be subject to fines and criminal prosecution for breach. What consumer information is considered Personally Identifiable Information (PII)? What laws should retailers be aware of? What are the 6 General Mandates that affect every retailer? What can merchants do to secure their electronic payments systems and procedures?
This document discusses key privacy and data security questions that in-house counsel should address. It covers the current regulatory environment, including the GDPR, CCPA, and Ohio Data Protection Act. It defines important concepts like personal data and data subject rights. It also outlines enforcement mechanisms and penalties for noncompliance, such as fines under the GDPR and private rights of action under the CCPA. In-house counsel are encouraged to understand their company's risks and compliance, have strategies for responding to incidents, and potentially form a privacy or data security committee.
A general talk on privacy in early 2009, with quite a few slides summarizing the US National Research Council\'s report "Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment" that was issued in late 2008
Information control and privacy are important for allowing people to maintain control over their lives and protect themselves from harm. Information control refers to managing information flows, while privacy is the right to control how personal data is collected and shared. There are various technical and policy methods for controlling information and protecting privacy, such as encryption, access controls, and data minimization. However, digital data collection and security threats pose ongoing challenges to privacy. Individual awareness and vigilance over personal data sharing are important for maintaining privacy and security.
Information control and privacy are important for allowing people to maintain control over their lives and protect themselves from harm. Information control refers to managing information flows, while privacy is the right to control how personal data is collected and shared. There are various technical and policy methods for controlling information and protecting privacy, such as encryption, access controls, and data minimization. However, digital data collection and security threats pose ongoing challenges to privacy. Individual awareness and vigilance over personal data sharing are important for maintaining privacy and security.
I’m attaching some info on the agency I work for. I work remot.docxdonnajames55
I’m attaching some info on the agency I work for. I work remotely at New Heights Middle School in Jefferson SC as a behavioral health counselor. I have a LMSW; I provide counseling services to kids from age 12-14. I was drawn to this agency due to my desire to work with kids. My prior job was at palmetto pee dee behavioral health. The kids there had mostly conduct disorders. At CareSouth I can focus a lot on actual counseling and less case management. They also pay for ceus and provide clinical supervision. My self-care that I practice is just doing something nice for myself once a week. Because sometimes you give so much of yourself to others you will forget about you.
State Laws Protecting Citizen Information and
Breach Notification Laws
ISOL633 - Legal Regulations,
Compliance, and Investigation
Learning Objective
Describe state legal compliance laws addressing public and private institutions.
Key Concepts
State regulation of privacy and information security
State data breach notification
State encryption regulations
State data disposal regulations
History of state privacy protection laws
DISCOVER: CONCEPTS
California Notification Law
California Database Security Breach Notification Act
First breach notification law
Enacted on July 1, 2003
Purpose to give California residents timely information to protect themselves
Serves as model for other states
California Notification Law
Anyone who owns or uses computerized data containing unencrypted personal information
Anyone who owns or uses computerized data containing unencrypted personal information
7/1/2018
6
Who Must Comply?
State agencies
Private organiza-tions
Business
Any entity storing info on California residents
Nonprofit organiza-tions
Data Breach Notification Laws
Requirements to inform customers of a data breach
Civil and/or criminal penalties for failure to disclose
Private right of action
Exemptions from reporting
DISCOVER: PROCESS
Personal Information - Defined
The general definition of “personal Information” is:
Both the Individual’s first name/initial and last name
And one or more of
Social Security Number
Driver’s License / State ID Number
Financial Account/Credit/Debit number AND the PIN/code/password to access it
Does not include publicly available information legally obtainable by general public from governmental records.
Check out this PDF from Baker & Hostetler, LLP for a nice chart documenting where personal information is wider than the general definition.
Breach Notification Decision Making
If breach occurred or may have occurred and
Computer system contains personal information
Personal information was encrypted
No notification required
Breach Notification Decision Making
If breach occurred or may have occurred and
Computer system contains personal information
Personal information was not encrypted
Individuals must receive notice of security breach
DISCOVER: ROLES
Roles
Chief Infor.
This document provides an overview of data privacy for governmental organizations. It discusses what data privacy is, the risks associated with it such as identity theft, and common laws around data privacy including California state laws. It recommends that organizations take an inventory of their data, develop privacy policies and training, and ensure proper system monitoring and controls. The document emphasizes being proactive on data privacy issues.
This document discusses a "nightmare letter" that organizations could receive from customers requesting details on how their personal information is collected and protected. The letter requests information on what data the organization has on the customer, how it is used and shared, details of any past data breaches or security incidents, security and privacy policies and practices, and technologies used to protect information. It is presented as a tool for organizations to test their ability to respond to access requests and identify privacy issues. The document also discusses Symantec solutions that can help organizations address the types of concerns raised in the letter.
Join us and learn where your organization may have security gaps or be out of state or federal compliance. In this seminar, we will discover how a combination of good policies and the implementation of good, solid solutions can help you meet compliance requirements, and protect and secure your organization or business.
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
There is no federal law governing privacy and data security applicable to all US citizens. Rather, individual states and regulatory agencies have created a patchwork of protections that may overlap in certain industries.
This webinar provides an overview of the many privacy and data security laws and regulations which may impact your business, from the state law protecting personal information to regulations covering the financial services industry to state breach notification laws.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-2020/
Similar to U.S. Federal Privacy Protection: An Overview (Concepts and History of the Federal Privacy Framework) (20)
36. May – Dec 06 Federal Privacy Breaches February 18, 2007 DATE MADE PUBLIC NAME (Location) TYPE OF BREACH NUMBER OF RECORDS 12/28/06 U.S. State Department A bag containing approximately 700 completed passport applications was reported missing on December 1st. The bag, which was supposed to be shipped to Charlotte, NC, was found later in the month at Los Angeles International Airport. 700 12/05/06 Army National Guard 130th Airlift Wing (Charleston, WV) A laptop was stolen from a member of the unit while he was attending a training course. It contained names, SSNs, and birth dates of everyone in the 130th Airlift Wing. Unknown 11/15/06 Internal Revenue Service (Washington, DC) According to document s obtained under the Freedom of Information Act, 478 laptops were either lost or stolen from the IRS between 2002 and 2006. 112 of the computers held sensitive taxpayer information such as SSNs. Unknown 11/01/06 U.S. Army Cadet Command (Fort Monroe, VA) A laptop computer was stolen that contained the names, addresses, telephone numbers, birthdates, SSNs, parent names, and mother's maiden names of applicants for the Army's four-year ROTC college scholarship. 4,600 high school seniors 10/25/06 Transportation Security Administration (TSA) (Portland, OR) A thumb drive is missing from the TSA command center at Portland International Airport and believed to contain the names, addresses, phone numbers and SSNs of approximately 900 current and former employees. 900 current and former Oregon TSA employees 10/20/06 Manhattan Veterans Affairs Medical Center, New York Harbor Health Care System (New York, NY) On Sept. 6th, an unencrypted laptop computer containing veterans' names, SSNs, and medical diagnosis was stolen from the hospital. 1,600 veterans who receive pulmonary care at the facility
37. May – Dec 06 Federal Privacy Breaches February 18, 2007 DATE MADE PUBLIC NAME (Location) TYPE OF BREACH NUMBER OF RECORDS 10/12/06 Congressional Budget Office (CBO) (Washington, D.C.) Hackers broke into the Congressional Budget Office's mailing list and sent a phishing e-mail that appeared to come from the CBO. Unknown number of e-mail addresses 10/12/06 U.S. Census Bureau This spring, residents of Travis County, TX helped the Census Bureau test new equipment. When the test period ended, 15 devices were unaccounted for. The Census Bureau and the Commerce Department issued a press release saying the devices held names, addresses and birthdates, but not income or SSNs. Unknown number of Travis Co., TX, residents 10/06/06 Camp Pendleton Marine Corps base via Lincoln B.P. Management (Camp Pendleton near Oceanside, CA) A laptop missing from Lincoln B.P. Management Inc. holds personally identifiable data about 2,400 Camp Pendleton residents. 2,400 09/21/06 U.S. Dept. of Commerce and Census Bureau (Washington, DC) The agency reported that 1,137 laptops have been lost or stolen since 2001. Of those, 672 were used by the Census Bureau, with 246 of those containing personal data. Secretary Gutierrez said the computers had "protections to prevent a breach of personal information." Unknown 09/17/06 Direct Loans, part of William D. Ford Federal Direct Loan Program within U.S. Dept. of Education and Federal Student Aid via its IT contractor ACS A security breach exposed private information of student loan borrowers from Aug. 20th – 22nd during a computer software upgrade. Users of the Direct Loans Web site were able to view information other than their own if they used certain options. SSNs were among the data elements exposed online. 21,000 accounts
38. May – Dec 06 Federal Privacy Breaches February 18, 2007 DATE MADE PUBLIC NAME (Location) TYPE OF BREACH NUMBER OF RECORDS 09/07/06 Florida National Guard (Bradenton, FL) A laptop computer was stolen from a soldier's vehicle containing training and administrative records, including SSNs of up to 100 Florida National Guard soldiers. 100 09/05/06 Transportation Security Administration (TSA) via Accenture (Washington, DC) In late August 2006, Accenture, a contractor for TSA mailed documents containing former employees' SSN, date of birth, and salary information to the wrong addresses due to an administrative error. 1,195 former TSA employees 08/25/06 U.S. Dept. of Transportation, Federal Motor Carrier Safety Administration (FMCSA) (Baltimore, MD) A laptop that "might contain" personal information of people with commercial driver's licenses was stolen Aug. 22nd. FMCSA said the data might include names, dates of birth, and commercial driver's license numbers of 193 individuals from 40 trucking companies. 193 08/23/06 U.S. Dept. of Education, Direct Loan Servicing Online (Atlanta, GA) A faulty Web site software upgrade resulted in personal information of 21,000 student loan holders being exposed on the Department's loan Web site. Information included names, birthdates, SSNs, addresses, phone numbers, and in some cases, account information. Affiliated Computer Services Inc. is the contractor responsible for the breach. The breach did not include those whose loans are managed through private companies. 21,000 08/21/06 U.S. Dept. of Education via contractor, DTI Associates (Washington, DC) Two laptops were stolen from DTI's office in downtown DC containing personal information on 43 grant reviewers for the Teacher Incentive Fund. DTI could not rule out that the data included SSNs. 43
39. May – Dec 06 Federal Privacy Breaches February 18, 2007 DATE MADE PUBLIC NAME (Location) TYPE OF BREACH NUMBER OF RECORDS 08/15/06 U.S. Dept. of Transportation (Orlando, FL) On April 24th, a DOT employee's laptop computer was stolen from an Orlando hotel conference room. It contained several unencrypted case files. Investigators are in the process of determining if it contained sensitive personal information. Unknown 08/09/06 U.S. Dept. of Transportation The DOT's Office of the Inspector General reported a special agent's laptop was stolen on July 27th from a government-owned vehicle in Miami, FL, parked in a restaurant parking lot. It contained names, addresses, SSNs, and dates of birth for 80,670 persons issued commercial drivers licenses in Miami-Dade County; 42,800 persons in FL with FAA pilot certificates; and 9,000 persons with FL driver's licenses. Update (11/21/06): A suspect was arrested in the same parking lot where the theft occurred, but the laptop has not been recovered. Investigators found a theft ring operating in the vicinity of the restaurant parking lot. 132,470 08/07/06 Veterans Affairs Dept. through its contractor Unisys Corp. (Reston, VA) Computer at contractor's office was reported missing Aug. 3rd, containing billing records with names, addresses, SSNs, and dates of birth of veterans at 2 Pennsylvania locations. Update (9/15/06): Law enforcement recovered the computer and arrested an individual who had worked for a company that provides temporary labor to Unisys. 5,000 Philadelphia patients, 11,000 Pittsburgh patients, 2,000 deceased patients, plus possibly 20,000 more patients
40. May – Dec 06 Federal Privacy Breaches February 18, 2007 DATE MADE PUBLIC NAME (Location) TYPE OF BREACH NUMBER OF RECORDS 07/26/06 U.S. Navy recruitment offices (Washington, D.C.) Two laptop computers with information on Navy recruiters and applicants were stolen in June and July. Also included was information from selective service and school lists. About 4,000 records contained SSNs. Files were password protected. 31,000 records were stolen, with about 4,000 containing SSNs. The latter number is included in the total below (6/23/06). 07/18/06 U.S. Dept. of Agriculture (USDA) (Washington, D.C.) (Wellington, KS) Laptop computer and printout containing names, addresses and SSNs of 350 employees was stolen from an employee's car and later recovered. 350 07/07/06 Naval Safety Center SSNs and other personal information of Naval and Marine Corps aviators and air crew, both active and reserve, were exposed on the Center web site and on 1,100 computer discs mailed to naval commands. “ More than 100,000" 06/27/06 Gov't Accountability Office (GAO) (Washington, D.C.) Data from audit reports on Defense Department travel vouchers from the 1970s were inadvertently posted online and included some service members' names, SSNs and addresses. The agency has subsequently removed the information. "Fewer than 1,000" 06/23/06 U.S. Navy recruitment offices (Washington, D.C.) Navy personnel were notified on June 22nd that a civilian web site contained files with personal information of Navy members and dependents including names, birth dates and SSNs. 30,000
41. May – Dec 06 Federal Privacy Breaches February 18, 2007 DATE MADE PUBLIC NAME (Location) TYPE OF BREACH NUMBER OF RECORDS 06/22/06 Federal Trade Commission (FTC) (Washington, D.C.) Two laptop computers containing personal and financial data were stolen from an employee's vehicle. The data included names, addresses, SSNs, dates of birth, and in some instances, financial account numbers gathered in law enforcement investigations. 110 06/21/06 U.S. Dept. of Agriculture (USDA) (Washington, D.C.) During the first week in June, a hacker broke into the Department's computer system and may have obtained names, SSNs and photos of current and former employees and contractors. 26,000 06/13/06 U.S. Dept of Energy, Hanford Nuclear Reservation (Richland, WA) Current and former workers at the Hanford Nuclear Reservation found that their personal information may have been compromised, after police discovered a 1996 list with workers' names and other information in a home during an unrelated investigation. 4,000 06/12/06 U.S. Dept. of Energy (Washington, D.C.) Names, SSNs, security clearance levels and place of employment for mostly contract employees who worked for National Nuclear Security Administration may have been compromised when a hacker gained entry to a computer system at a service center in Albuquerque, N.M. eight months ago. 1,502 06/05/06 Internal Revenue Service (Washington, DC) A laptop computer containing personal information of employees and job applicants, including fingerprints, names, SSNs, and dates of birth, was lost during transit on an airline flight. 291
42. May – Dec 06 Federal Privacy Breaches February 18, 2007 DATE MADE PUBLIC NAME (Location) TYPE OF BREACH NUMBER OF RECORDS 05/22/06 Dept. of Veterans Affairs (VA) (Washington, DC) On May 3rd, data of all American veterans who were discharged since 1975 including names, SSNs, dates of birth and in many cases phone numbers and addresses, were stolen from a VA employee's home. Theft of the laptop and computer storage device included data of 26.5 million veterans. The data did not contain medical or financial information, but may have disability numerical rankings. Update: An additional 2.1 million active and reserve service members were added to the total number of affected individuals June 1st. Update (6/29/06): The stolen laptop computer and the external hard drive were recovered. Update (7/14/06): FBI claims no data had been taken from stolen computer. Update (8/5/06): Two teens were arrested in the theft of the laptop. Update (8/25/06): In an Aug. 25th letter, Secretary Nicholson told veterans of the decision to not offer them credit monitoring services. Rather the VA has contracted with a company to conduct breach analysis to monitor for "patterns of misuse." 28,600,000 05/05/06 Dept. of Veteran Affairs (VA) (Washington, D.C.) A data tape disappeared from a VA facility in Indianapolis, IN that contained information on legal cases involving U.S. veterans and included veterans' SSNs, dates of birth and legal documents. Update (10/11/06): The VA's Office of the General Counsel is offering identity theft protection services to those affected by the missing tape. 16,500
43.
44.
45. Section 2 The Evolution of U.S Privacy: A Historical Overview February 18, 2007
February 18, 2007 [it’s easier to see the certifications when they are bulleted]
February 18, 2007
February 18, 2007 Privacy concerns and the U.S. Federal Government have a long history, some of which can be traced back to the founding of the country or at the very least the drafting and ratification of the U.S. Constitution and Bill of Rights. While neither the Constitution nor the Bill of Rights specifically address the concept of “Privacy”, the foundations for privacy can be found in many places. Even though the U.S. Federal Government is no new comer to dealing with privacy concerns, privacy practices within U.S. Federal Agencies are a relatively new concept for most agencies. Since about the mid- to late- 1990’s, privacy programs and practices of federal agencies have slowly emerged as a critical issue that has and is providing federal agencies with many difficulties when it comes to addressing concerns and establishing a comprehensive privacy program. Traditionally, the Federal Government has played four different roles in addressing privacy within the United States and part of the difficulty arises from the four different roles played by the Federal Government when it comes to privacy. : Legislation of requirements for privacy Includes both laws that require release of private information (e.g. Deeds, Bank Secrecy Act) and requirements concerning protection of private information to both government entities and the private sector. Oversight of private sector compliance Publication of rules and requirements for the private sector, ensuring compliance with laws, rules, and requirements by the private sector, investigating/addressing complaints/violations by private sector entities (e.g. Fair Credit Reporting Act) Judicial Review Case Law concerning validity of laws, rules, and requirements Lawsuits to effect change in practices Criminal and Civil Suits to punish violators and compensate victims Safeguarding & Protecting data collect by and used by the Government concerning citizens (e.g. Privacy Act, FISMA)
February 18, 2007
February 18, 2007
February 18, 2007 This material is primarily focused on what the various departments, agencies and bureaus' within the Executive Branch of the Federal Government are required and expected to do to protect information that it collects, uses, and shares about private citizens and a citizens right to view and correct information about them held by federal agencies. This material will discuss, at a high-level, the critical privacy areas the Executive Branch of the Federal Government is involved with such as: Government Records Communications Medical Information Commerce In addition to this, the material will also briefly touch on other key privacy concerns within agencies such as: Privacy in the Federal Workplace Protection of Federal Employee Information Protection of Federal Contractor Information This material has been developed primarily to help raise the awareness of Federal Employees and Contractors that have some level of responsibilities in privacy oversight within a Federal Agency or Program. Secondly, this material was developed be useful to auditors of federal agency privacy programs, practices, and processes. Lastly, this material was developed to help those outside the federal government develop a better insight as to the complexities and requirements federal agencies must meet to ensure the protection of privacy information in their custody. This material does not cover privacy requirements for the Legislative or Judicial Branches of the U.S. Federal Government which have different requirements therefore most of the information that will be covered in this material is not applicable to the Legislative or Judicial Branches. Similarly, this material will not focus on the Federal Government’s oversight of privacy in the private sector. Again, this material is ONLY concerned with what federal agencies of the Executive Branch of the U.S. Federal Government are required to comply with to protect the privacy of information they collect and use about U.S. Citizens.
February 18, 2007
February 18, 2007 Before getting to far along in the material, it is important that we establish and define some terminology. Within the Federal Government there are multiple definitions to the term “privacy information” depending on the context in which the term is used and even the agency the term is used in. The most common definitions (some of which have been statutorily defined) are: Information collected about a “person” obtained or resulting from a transaction to obtain services Information collect by the government about a citizen maintained in an information system These two definitions are by far the most common and is traditionally what comes to mind when someone talks about privacy information, and for the purposes of this material will be the types of privacy information we are going to focus on. While at first glance these two definitions appear to saying the same thing, there are subtle differences between them that impact their scope. Lets start by looking at the first definition. This definition might be used to describe the information processed by the Government Printing Office’s Online Bookstore (bookstore.gpo.gov) during the purchase of a Pocket Edition of The Constitution of the United States and the Declaration of Independence. Within this definition, there are two items that can effect how the information collected is used and protected. The first item is the word “person” and in this context a “person” can be: Natural – as in a human being Legal – as in a corporation Citizen – may be a citizen of the U.S. Alien – Legal, Resident, or Illegal Organization – business, non-profit, educational Foreign Interest – resident, business, government The other key item is the phrase “a transaction to obtain services” and results in that the information is collected to allow the government to fulfill a request, in this case sell and deliver a Pocket Edition of The Constitution of the United States and the Declaration of Independence. This also implies that the information collected to be able to provide the service is used only for that specific reason and is not maintained in such a way the government can use the information to make determinations about a person by another federal entity. The second definition is the traditionally thought of information a government agency has about each one of us. Theoretically this would also be a system of records as defined by the Privacy Act. Like the first definition, there are two key items that effect how the information collected is used and protected. The first item is the word “citizen” and in this context only means: A person born with in the borders of the United States or its territories A foreign born person who has become a naturalized citizen The second item is the statement of “collected by the government” and the statement of “maintained in an information system”. These statements imply that the information is collected and may not have been provided by the actual person the information is about and that the information is maintained to support future reference to the information at some later date and/or that it is updated periodically.
February 18, 2007 3. Information about Federal Employees and Contractors This definition is what you might receive when talking with agency personnel or a human resources group, and of course OPM. 4. Restricting access to subscriber or relying party information This definition comes from NIST SP 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure. “ Subscriber” = A Subscriber is an entity that (1) is the subject named or identified in a certificate issued to that entity, (2) holds a private key that corresponds to the public key listed in the certificate, and (3) does not itself issue certificates to another party. This includes, but is not limited to, an individual or network device. “ Relying Party” = A person or Agency who has received information that includes a certificate and a digital signature verifiable with reference to a public key listed in the certificate, and is in a position to rely on them. In this context the definition is concerned with protecting the information associated with the use of a PKI system for authentication and identification purposes supporting non-repudiation (ability to deny that you did something) With the exceptions of Department of Defense entities or an IT Security group, it is not very likely you will run across the use of this definition. 5. Restricting access to proprietary information provided for review With this definition, legally created entities (businesses, non-profit organizations, etc.) have been accorded some right to privacy over certain types of information created by the entity and is basically centered around information that would provide another organization with an unfair competitive advantage. For most federal agencies, the main place they will be dealing with this information is in the procurement arena and is addressed in the Federal Acquisitions Regulations (FAR) or DFAR the agency must comply with. There may be one other area of concern for some agencies: information provided by an organization for review and use by an agency voluntarily and at no cost to the agency to support or assist in research or development of policy. The best example of this would be found by looking at the National Transportation and Safety Board (NTSB) accident investigations. Often manufactures will provide NTSB investigators full access to and copies of trade secrets, design specifications, and other documentation to support a crash or accident investigation. 6. Information collected as part of statistical surveys, program evaluations, and research studies While this definition may seem vague, there are statutory requirements behind this definition that are agency specific. In a nutshell what this definition means is that the participants have a right to anonymity. In cases where a participants identity is required to be known for collection of information the participants identity, participation in the survey/evaluation/study, and the data provided is to be protected to prevent others from knowing who participated or from linking the information to a participant. Customer Satisfaction surveys also fall under this definition as a type of program evaluation.
February 18, 2007 Privacy (all lowercase letters) or privacy protection, for this material, refers to the controls or processes to protect privacy information from unauthorized used or disclosure. Privacy discussions often are centered around the term of “confidentiality”, especially when information security personnel, polices, and laws are involved. While confidentiality is often used when talking about privacy information, it is important to remember that confidentiality is not a “class” of information within a system like “privacy information”. Instead, confidentiality is a principal for a control framework to establish a level of protection for all information within an information system. Confidentially has been defined statutorily in 44 U.S.C. 3542 as: “ Preserving authorized restrictions within the Federal Government including means for protection personal privacy and proprietary information.” It has also been defined by NIST in FIPS 140-2 as “the property that sensitive information is not disclosed to unauthorized individuals, entities, or processes.”
February 18, 2007 Aside from the term “Privacy Information” the U.S. Federal Government has a number of other terms that have been defined concerning “Privacy Information” or categorizing a set of data as privacy information. Privacy Act Data – This term is the most familiar to federal employees and contractors. Privacy Act Data is often used when discussing Privacy Information. However, it is often misused to describe a broad category of information when in reality the Privacy Act of 1974 as amended, statutorily has defined what is covered by and what makes information “Privacy Act Data”. Personally Identifiable Information (PII) and Protected Personal Information (PPI) are currently inter-changeable with each other. PII was statutorily defined by Section 208 of the E-Government Act of 2002 and further defined by OMB memo’s. PPI is often seen in use with the Department of Defense. Information Identifiable Format (IIF) was established by Section 208 of the E-Government Act of 2002 and was originally meant as a way to classify data that may not identify a person directly that could be used to identify a person after the fact and associate transactions made with that information (for example IP Address, session start and end times, browser information, referring domain address, or machine name) Proprietary Information and Confidential Commercial Information can be inter-changed with each other. This type of “privacy information” is mainly applicable to only specific information about a Federal Contracting Organization and has specific clauses defined concerning this information in both the Federal Acquisitions Regulation (FAR) and the Defense Federal Acquisitions Regulation (DFAR). PHI was created by HIPAA. CPNI was defined by Telecommunications Act of 1996
February 18, 2007 Aside from the ramifications and consequences resulting from not ensuring privacy, privacy is considered one of the core values by the society we live in. The society in which we live and interact with recognizes that a person has a “reasonable” expectation of privacy. The American judicial system has extensive case law concerning privacy and defining privacy “as the right to be left alone” that dates back to the 1800’s. In the 1890’s U.S. Supreme Court Justices Louis Brandeis and Samuel D. Warren first put forth the concept of privacy as the right to be left alone in an article they co-wrote that was published in the Harvard Law Review. In 1928 in the Olmstead v. United States case, Justice Brandies wrote that the Constitution “conferred, as against the government, the right to be let alone – the most comprehensive of rights and the rights most valued by civilized men.” It is a legislative right in that in many cases the right to privacy, the protection of privacy information, and mandated lack of privacy (or required disclosure of privacy information) primarily has been defined by Acts passed by Congress and in some cases Presidential Executive Orders. Privacy is deemed a “penumbral right” within the Constitution resulting from the intersections of the various rights that are established in the Constitution and the Bill of Rights. While there is no explicit statement to the right of privacy in the Constitution, the right of privacy has underpinnings in the U.S. Constitution within: the Fourth Amendment – “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” The Ninth Amendment – “The enumeration in the Constitution of certain rights shall not be construed to deny or disparage others retained by the people.”
February 18, 2007 Privacy is a subjective condition that a person has in regards to the degree they can determine what personal information about themselves is to be shared and for what purposes it can be used. It is subjective because each person has their own definition of what personal information is, what information about them can shared, and what information about themselves they want to control. In other words privacy is the authority and ability to govern the: Acquisition of information from an individual (or third party) to another party Disclosure of any or all of the information to another party Use or Purpose agreed to between the parties when the person disclosed the information to the other party
February 18, 2007 Privacy, while a value of society that conveys to an individual certain expectations of a right to privacy, the right to privacy is not unlimited (as in a person can prevent releasing any information) nor is it an absolute right (as in under certain circumstances a person right to privacy can be revoked). In order for a person to interact and participate fully (or in any way) in society or engage in any type of social discourse will require a person to release different types of personal information to different entities and to different levels of detail. Ultimately, privacy is a social contract that tries to balance the need for disclosure of information to government entities, commercial organizations, and other individuals with the desire of a person to control what information about themselves is available to others.
February 18, 2007 Within the United States there is no omnibus Privacy legislation. Instead, the privacy issues area addressed through sector-specific privacy rules, legislation, regulations, and/or voluntary codes to ensure privacy protection. When looking at how privacy issues have been addressed within the United States, there are six critical areas that privacy governance occurs: Privacy of Government Records Privacy of Communications Privacy of Medial Records Privacy in the Marketplace Privacy in the Workplace Privacy of the Home & Family Each of these areas has specific regulations or case law that establish requirements for privacy protection and in some cases those requirements may span multiple areas. While each of these six area has different requirements, processes, and oversight for protection of privacy, the foundation of guiding principles and the governance of privacy in each area is the same.
February 18, 2007 The U.S. Federal Government has adopted a set of Fair Information Practices and a set of Privacy Principles for governance of privacy. The Fair Information Practices were published in 1973 in a Health, Education, and Welfare Advisory Committee report outlining a framework for how personal information should be collected, disclosed, and used to ensure a citizens right to participate. The Fair Information Practices call for: Openness Notice Use Correction Accuracy and Security
February 18, 2007 The U.S. Privacy Principles were developed by the Privacy Working Group of the Information Infrastructure Task Force. In June of 1995, the Privacy Working Group published the report “Principles for Providing and Using Personal Information”. The Privacy Working Group was not seeking to replace the Fair Information Practices, which had been published by the Secretary of Health, Education, and Welfare Department (Casper Weinberger) over 12 years ago in 1973. Instead they were looking to build upon the Fair Information Practices, refine them, and strengthen them, as needed, while taking into account the technology infrastructure that was in place for most medium to large companies. The Principles for Providing and Using Personal Information report put forth a set of privacy principles which recognized that: Consumers and Citizens, government entities (federal, state, or local), and business ALL share in the responsibilities to secure personal information Technology has the potential to empower individuals to protect their information, but that very same technology can facilitate an individual having their information compromised Organizations that collect and use Privacy Data need be open about and share information about their data collection processes and reasons for collecting the data Individuals have to be able to understand the impacts of how their information can be used AND clearly understand how their information will be used.
February 18, 2007 The Principles for Providing and Using Personal Information Report further noted that organizations that collect and use personal information as well as the individual that is providing information to an organization have additional responsibilities that they should perform.
February 18, 2007 As we talked about earlier, in order to participate and interact fully with society or engage in any type of social discourse, requires a person to release personal information of different types and to varying degrees. However, society does recognize that a person has the right to expect a reasonable level of privacy concerning themselves. We also have defined that the expectation to the right of privacy is not an unlimited nor an absolute right. Personal information is information which can be used to identify a person uniquely and reliably. It is both information about a person (data elements like: address, social security numbers, employer) and also includes information about their persona (elements like pictures, video, reputation).
February 18, 2007
February 18, 2007
February 18, 2007
February 18, 2007
February 18, 2007
February 18, 2007
February 18, 2007
February 18, 2007 While there may be an office or an agency official with designated responsibilities for Privacy Concerns they alone can not ensure that personal information collect, used, and maintained by the agency is protected. They can only oversee and monitor the implementation of privacy policies and programs for the agencies. Information Technology plays a large role when it come to protecting and ensuring the protection of personal information. Agency CIO’s have statutory requirements in regards to privacy. However, the CIO Office, the IT Group, and Information Security Group only provide a part of the protection required to ensure privacy protection. Some of the offices within an agency that have requirements concerning privacy governance are: FOIA Officers Privacy Act Officers (may also be the FOIA Officer) Agency Chief Information Officer Agency General Counsel’s Office Agency Chief Financial Officer Agency Senior Privacy Official / Chief Privacy Officer Application System Owners NOTE: We will be going into more detail concerning the offices with privacy governance responsibilities later in the training in Sections 3 and 4.
February 18, 2007 As that privacy governance requirements are spread across a number of offices within an agency there are a number of policies and procedures that must coordinate and compliment each other to ensure a unified approach to ensuring privacy protection. Ultimately, privacy protection involves implementation of three distinct control families. Management Controls Are the controls put in place concerning such items like: the Agency Specific Policies, reviewing business practices, ensuring needs for privacy are budgeted for, reviewing and assessing the effectiveness of the privacy program, and reviewing and assessing compliance with the privacy program by employees and contractors. Operational Controls Are the controls put in place concerning such items like: Privacy Awareness and Training, Physical protection, standard procedures, labeling of information and documents, monitoring access to information, retention of and destruction of documents and information. Technical Controls Are the controls that are typically provided by the CIO’s Office, the agency network infrastructure, and the Software Application that the information is maintained in. Many of these controls may not be purely technical controls and instead augment the management and operational controls of the privacy program.
February 18, 2007 Privacy Protection within Federal Agencies can be best achieved through the: Implementation of a comprehensive agency-wide Visible Privacy Program Establishment of privacy coordination group or team that represents a cross-section of agency Creation of a Privacy Training and Awareness Program with periodic refresher training to educate personnel to their responsibilities regarding privacy protection and raise awareness of issues regarding privacy. Can not be successful if the CIO’s office and the Agency Senior Privacy Official do not have a close working relationship and keep each other informed to changes and concerns. NOTE: We will be going into much more detail concerning these and other elements of a privacy program later in Section 3 of this material.
February 18, 2007 While the IT department, group, or individuals have always provide some level of protection for privacy information, they don’t always see it that way or realize it. The IT department thinks in terms of, and often in this order: Availability – is the system up and can the users access it Integrity – are the systems protected, are they stable platforms? Confidentiality – Let the people in that have access and keep everyone else out. Confidentiality, while important or an IT department, usually gets overridden by availability for internal users. Part of this stems from that the IT Departments usually have as part of their mission, either stated or implied, is the goal of supporting the sharing of information within an organization. This mission statement usually drives everything else the department does. In a lot of cases this results in on coarse grain protection of information based on roles or groups that are broadly defined that associate people to a division or department with in the organization. The other analogy that can be drawn between Privacy and Security is that Security can be seen as protecting the information based on authentication of a person (do they have a right to gain access to the system), and privacy is protecting the information based on authorization for a person (do they have a need to access the information). Just because you have access to a shared area on a system does not always mean you have the authorization or right to access any of the documents or materials stored there. The IT system usually will support controls to that level, but IT departments don’t have the staff to support the amount of changes to access rights done to that level, and most end-users don’t even know that, in a lot of cases, they have some limited abilities to control access to files and directories they establish on the system. NOTE: We will be going into much more detail concerning security-related items later in Section 3 of this material.
February 18, 2007 If we look back at IT Security we can see that it is still an evolving practice. First there was Computer Security or Information Technology Security and was really focused on protecting the equipment more than anything else. This slowly changed into Information Security and is where the IT Groups began viewing security in the terms of Confidentiality, Integrity, and Availability. It was not too long after the “INFOSEC” methodology or practices had taken hold, the controls about authentication and non-repudiation merged into the practice and now we had Information Assurance. And the “Security” profession is still evolving, adapting, and learning new practices.
February 18, 2007 Some where in about 2001, is where the security practice slowly started another change that we are just beginning to see the results of where Privacy Assurance has become a focus and concern for IT Security professionals, even though most of the industry still refers to security practitioners as Information Security or Information Assurance. Look at what the CIO Groups within the Federal Agencies are doing currently that was not being done just 2 years ago: FIPS 199 System Categorizations Privacy Impact Assessments E-Authentication Risk Assessments Privacy Policies for websites in both human and machine readable formats The minimum recommendation of controls from NIST even has some specific controls that only are concerned with privacy. An entire section of the annual FISMA Report is concerned with privacy issues Quarterly updates on privacy issues required to accompany the quarterly submission of POA&M and security concerns within the IT Group. In some cases the addition of the privacy controls were a new concept for the IT groups, in others it was a matter of adding or refining some processes or controls, but for a lot it was more of an “ah ha!” experience because they realized they had been doing it as part of some other process and never had thought to take credit for it.
February 18, 2007 Every agency, no matter what size, if it handles privacy data (and I can’t think of one that doesn’t at some level, if nothing else for their for employees) needs to have a Privacy Breach Incident Response Plan that supplements the Security Incident Response Plan, DR Plans, COOP, or other contingency related plans. It is not a matter of “IF” the agency will a have breach, it is a matter of “WHEN” it will happen. Privacy Concerns also need to be well integrated into the DR Plans and COOP’s since a privacy breach is even more likely to happen when operating in a reduced capacity or state of emergency as a lot of the normal IT Controls may no longer be functional. A privacy breach should be considered on the same level in an Organizations DR Plan or COOP as the loss of a building. While physically every thing may be operating, the response to a privacy breach will be just as important as getting water on a fire in storage room. And more importantly, people and the media will ask MORE question about the privacy breach than they will the cause of a fire in the building.
February 18, 2007
February 18, 2007 Note: These next few slides provides examples of various privacy breaches over a six month period of time.
February 18, 2007
February 18, 2007
February 18, 2007
February 18, 2007
February 18, 2007
February 18, 2007
February 18, 2007 Depending on the impact and severity of an unauthorized disclosure of personal information: Agencies may have to cut budgets, postpone projects, or delay offering new services in order to pay for corrective actions like Credit Monitoring New control measures New / Refresher Training Senior Leadership of the Agency called before congressional committees to explain how it happened, why it was not prevented, what is being done to prevent it from happening again, and who was responsible for it In 2005 at NTSB, during confirmation hearings for a new director, congress had some very pointed and tough questions concerning the lack of progress and poor FISMA reports. This resulted in a major re-organization of the CIO group which included removing the person in the CIO position to a new duty assignment. NTSB Directorship scrutinized every action in the CIO shop and resulted in a CIO shop that was effectively paralyzed. Senior Leadership may change due to a “request to resign from a position” In the summer of 2006 we follow the VA mishap concerning a stolen laptop potentially exposing 28 million veterans’ personal information: The Associate Deputy Assistant Secretary for Cyber and Information Security resigns The Deputy Assistant Secretary for Policy resigns The Acting Assistant Secretary for Policy was placed on Administrative Leave
February 18, 2007
February 18, 2007
February 18, 2007 As we discussed earlier, privacy in the U.S. has been evolving since the adoption of the Constitution. We will specifically be concentrating on the privacy guidance from the 1960’s until today which encompasses both laws, rules, and regulations that have been enacted for the private sector as well as those for the public sector. Prior to the 1960’s there was hardly anything concerning the collection of information from citizens, and how that information might be used. There was some limited case law, but it wasn’t until the mid- to late 1960’s that the federal government began to effect how agencies collected information, how it was used, or how it would be disclosed. The one piece of legislation enacted prior to the 1960’s that helps support the Federal Privacy Framework was the Federal Records Act of 1950. This act required agencies to document and preserve evidence of the agency’s activities and established that OMB, GSA, and NARA would share the responsibility for oversight of Records Management by an agency. The next series of slides start with the 1960’s and will begin to illustrate the history and evolution of privacy guidance and requirements within the United States. These slides have been developed to show four separate timelines to help provide a frame of reference to the various privacy related events by showing the privacy event on one flow and then providing information as to the current events of the time, as well as information about the Advancement of both IT Technology and Hacking events.
February 18, 2007 The top three timelines, IT Incidents, IT Advancements, and “Current” Events are informational. If there is a key point that you may need to remember, it will be pointed out during the discussion around the year an event takes place in. In some cases being able to see these additional timelines can help to understand why a privacy event (law, report, etc) came about. As we start to look at the timeline slides I want to point out that the IT Incidents timeline, only highlights IT Incidents related to the U.S. Federal Government or a milestone event.
February 18, 2007
February 18, 2007
February 18, 2007
February 18, 2007 The Federal Privacy Framework we will be looking at is a Conceptual Node Connectivity Diagram created to provide a visual representation of federal laws, requirements, or guidance that apply to all Executive Branch Departments, Agencies, and Bureaus that also help shows how oversight of privacy is accomplished by OMB, Congress, and each agency. The other benefit of this diagram is it can help show how there have been relationships created by various laws that have created a in-direct relationship to an agency function that result in a privacy controls have a direct impact to the other agency function.