Department of CommercePrivacy Awareness

2August 1, 2005

What is privacy protection?

Privacy protection includes the protection of the personal privacy rights of individuals from the unauthorized collection, maintenance, use, and disclosure of personal information about them.

When DOC does collect personal information, we have a duty and responsibility to protect that information from misuse.

Business identifiable information received by DOC must be similarly protected, in accordance with applicable laws.

3August 1, 2005

Your responsibilities to protect privacy

As a Commerce employee, you are responsible and accountable for

knowing what constitutes personal information and business identifiable information;

handling personal and business identifiable information;

protecting personal and business identifiable information; and

following all laws, rules, regulations, and Departmental policies regarding personal and business identifiable information.

4August 1, 2005

DOC privacy principlesThe Department of Commerce has adopted the following privacy principles:

Data Minimization – Commerce will collect the minimal amount of information necessary from individuals and businesses consistent with the Department’s mission and legal requirements.

Transparency – Notice covering the purpose of the collection and use of personally identifiable information will be provided in a clear manner. Information collected will not be used for any other purpose unless authorized or mandated by law.

Accuracy – Information collected will be maintained in a sufficiently accurate, timely, and complete manner to ensure that the interests of the individuals and businesses are protected.

Security – Adequate physical and IT security measures will be implemented to ensure that the collection, use, and maintenance of personally identifiable information is properly safeguarded and the information is promptly destroyed in accordance with approved records control schedules.

5August 1, 2005

Key privacy laws Privacy Act of 1974

Freedom of Information Act (FOIA)

E-Government Act of 2002

Additional privacy laws regulate other areas, such as government access to bank and other financial records, identity theft, trade secrets, health records, and education records.

The Trade Secrets Act (18 USC 1905) provides criminal penalties for the unauthorized disclosure by the government of confidential commercial information.

6August 1, 2005

Privacy Act of 1974

Regulates how federal agencies collect, maintain, use, and disclose individuals’ information maintained in a Privacy Act system of records. This includes information pertaining to federal employees as well as the public.

Requires federal agencies to publish systems of records notices so that the public is aware of what Privacy Act records are being maintained and under what authority.

Requires that information about individuals maintained in a Privacy Act system of records be accurate.

Allows individuals to access and seek to amend their Privacy Act records.

7August 1, 2005

Freedom of Information Act (FOIA) and privacy

The FOIA allows public access to all agency records not protected from disclosure by a FOIA exemption.

As a federal employee, certain government information about your employment may be disclosed, such as your position description, title, series, salary, and monetary award amounts.

8August 1, 2005

FOIA personal privacy exemptions

FOIA provides two separate exemptions to protect individuals’ private information contained in agency records. Exemption (b)6 protects from disclosure information

about individuals in "personnel and medical files and similar files" when the disclosure of such information "would constitute a clearly unwarranted invasion of personal privacy.“

Exemption (b)7(C) provides protection for personal information in law enforcement records. This exemption is the law enforcement counterpart to Exemption (b)6.

9August 1, 2005

FOIA exemption for commercial information

Exemption (b)4 protects from disclosure “trade secrets and commercial and financial information obtained from a person [that is] privileged and confidential”.

“Commercial” is not confined to records that reveal “basic commercial operations” but includes any records [or information] in which the submitter has a “commercial interest” and can include information submitted by a nonprofit entity.

10August 1, 2005

E-Government Act of 2002

Requires that every federal agency conduct a Privacy Impact Assessment on each of its information technology systems under development that will contain personally identifiable information.

As a matter of policy, Commerce also requires that a Privacy Impact Assessment be conducted when developing systems that will contain business identifiable information.

The purpose of the Privacy Impact Assessment is to ensure that there is no collection, storage, access, use, or dissemination of identifiable information from or about members of the general public and businesses that is not needed or authorized, and that identifiable information that is collected is adequately protected.

11August 1, 2005

Other guidance

OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 26, 2003, provides specific guidance to agencies for implementing the Privacy Provisions (Section 208) of the E-Government Act.

The Department of Commerce IT Privacy Policy provides guidance for implementing Section 208 and protecting personal information in Commerce, and extends the same protection to business identifiable information.

12August 1, 2005

What is personal information?

Personal information is “any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.” (Section 208 (d) of the E-Government Act of 2002). Examples include: Lists of the names of visitors to buildings or offices;

Pay and personnel records;

Photographs of individuals captured on surveillance cameras installed to ensure the security of buildings or locations;

A biometric system that uses voice recognition technology to allow individuals access to certain controlled areas.

13August 1, 2005

Where will you encounter personal information?

Entering data into a time and attendance system;

Processing a personnel action;

Reviewing a performance award nomination file;

Building a new database that is being filled with personal information;

Searching an existing database for individuals that meet certain criteria;

Receiving personal information from another agency;

Entering information into an employee medical file.

14August 1, 2005

How do you protect personal information (1)?

Consider all personal information given to you either written or verbally as sensitive.

Provide personal information only to those who have a “need to know.”

Use personal information ONLY for official purposes.

Provide access to an individual’s information only if you have specific authority to do so.

Secure personal information with appropriate passwords and locks.

15August 1, 2005

How do you protect personal information (2)?

Not all personal information is exempt from disclosure to the public, e.g., name, title, grade, and office phone number of federal employees.

Contact your FOIA/PA Officer for guidance on personal information that may be released.

When creating a new system or significantly modifying a legacy system that contains personal information, conduct a Privacy Impact Assessment and contact your Operating Unit FOIA/Privacy Act Officer.

16August 1, 2005

Business identifiable information (1) Under Commerce policy, business identifiable information consists

of information that is defined in the FOIA as "trade secrets and commercial or financial information obtained from a person [that is] privileged or confidential.” This information is exempt from automatic release under FOIA Exemption (b)4.

“Commercial” is not confined to records that reveal basic commercial operations but includes any records [or information] in which the submitter has a commercial interest, and may include information submitted by a nonprofit entity.

17August 1, 2005

Business identifiable information (2)

Not all business identifiable information is exempt from disclosure under, e.g., annual financial reports of public corporations. Contact your FOIA/PA Officer for guidance.

Other terms for business identifiable information that must be protected from disclosure are:

“confidential business information”

“confidential commercial information”

“proprietary information”

18August 1, 2005

Examples of business identifiable information in Commerce

Financial information provided in response to requests for economic census data;

Business plans and marketing data provided to participate in trade development events;

Commercial and financial information collected as part of export enforcement actions;

Proprietary information provided in support of a grant application or related to a federal acquisition action;

Financial records collected as part of an investigation.

19August 1, 2005

Examples of privacy violations Violations include:

Requesting, obtaining, or using records under false pretenses Maintaining inaccurate Privacy Act records that result in adverse

action Maintaining a Privacy Act system of records that has not been

disclosed in a published notice Failure to conduct a Privacy Impact Assessment when required Disclosing business identifiable information, that is protected from

disclosure, in violation of the Trade Secrets Act or other laws and regulations

Penalties for violations could include: DOC disciplinary action Civil action against DOC and/or the employee Criminal prosecution of the employee

20August 1, 2005

Scenario Your office has been investigating an incident that involves a

Commerce employee who is being disciplined. You want to share all the details in the case file with your buddy over lunch.

Can you gossip about what’s in the file?

ANSWER: No. You need to keep all information provided to you private and only give it to those who “need to know”. Your buddy doesn’t “need to know.”

21August 1, 2005

Scenario A Commerce OIG inspector comes to your office and asks to see the

case file of an employee who is being investigated so that he or she may conduct an official progress review of the investigation.

Do you hand over these records?

ANSWER: Yes, but first ask to see the inspector’s credentials. The inspector “needs to know” the information you have in order to complete his or her official investigation.

22August 1, 2005

Scenario Your office has decided to enter into a contract with a private sector

company that maintains databases with personal information to test a new modeling system that can be used to identify violators of export controls. This is a new system. You will be accessing their information and storing the results in your computer system.

Do you need a Privacy Impact Assessment and/or a Systems of Records Notice (SORN)?

ANSWER: Yes, you need both. Contact your Operating Unit FOIA/Privacy Act Officer to ensure that an SORN has been completed. Privacy Impact Assessments and SORNs should be completed prior to the signing of a contract so that privacy may be fully considered. In fact, potential contractors should address privacy issues in their proposals to DOC.

23August 1, 2005

Scenario

In your position as an economist, you receive from corporations proprietary data and other confidential business identifiable information that is provided solely for the purpose of developing national economic and statistical reports that do not include identifiable information.

May you use the information received to pick stocks?

ANSWER: No. You are responsible for protecting business identifiable information from unauthorized release or misuse. Using the information to further your personal financial interests could result in disciplinary action.

24August 1, 2005

Scenario A citizen calls you at your desk and asks for a copy of

“everything DOC has on me.” She says if you don’t give the information to her, she’s going to take this all the way to the Supreme Court.

What do you do?

ANSWER: Inform the individual that she may send a FOIA or PA request electronically to Efoia@doc.gov or by mail or fax (202-219-8979). More information is at http://www.osec.doc.gov/omo/FOIA/FOIAWEBSITE.htm.

25August 1, 2005

Rules for protecting personal information and business identifiable information

It is your responsibility to protect personal information and business identifiable information that is exempt from disclosure.

Think before you disclose.

Consider all personal information given to you as sensitive.

Protect business identifiable information in a similar manner as personal information.

26August 1, 2005

Questions?

Brenda Dolan, DOC FOIA/Privacy Act Officer, bdolan1@doc.gov, 202-482-3258

Your operating unit FOIA/PA Officer. See list at http://www.osec.doc.gov/omo/FOIA/docbureaus.htm

For IT privacy, records management, E-Government Act, and Privacy Impact Assessment issues: Dan Rooney, drooney@doc.gov, 202-482-0517