Upload
wrightjr02
View
61
Download
1
Embed Size (px)
Citation preview
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Headquarters U.S. Air Force
Safeguarding of Personally Identifying Information
a.k.a. Privacy Act Data – It is Your Duty!
Privacy Act Educational Awareness for
all Air Force Employees –
Military Members, Civilians, Air Force Reserve, Air National Guard, & Contractors
2I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Why You are Being Asked to Take this Educational Awareness Now…
In a number of recent incidents, personal data has been lost, stolen, or compromised
The Office of Management and Budget (OMB), the Federal entity responsible for overseeing the Privacy Act (PA), has mandated that the Federal workforce complete this educational awareness briefing
Because personal information is handled by a wide number of Air Force offices, it is imperative that all personnel understand and apply guidance on the proper handling of this sensitive information
To preclude YOU or a member of your staff from being the subject of an
investigation
3I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Criminal Penalties for Noncompliance with the Privacy Act
For knowingly and willfully disclosing Privacy Act protected data to any person not entitled to access: Misdemeanor criminal charge, and a fine of up to
$5,000 per incident
For maintaining a System of Records without meeting the public notice requirements: Misdemeanor criminal charge, and a fine of up to
$5,000
For knowingly and willfully requesting or obtaining records under false pretenses: Misdemeanor criminal charge, and a fine of up to
$5,000
4I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Civil Penalties for Noncompliancewith the Privacy Act
The Privacy Act also imposes civil penalties on violators (normally the agency) who: Unlawfully refuse to amend a record Unlawfully refuse to grant access to records Fail to maintain accurate, relevant, timely and complete data Fail to comply with any Privacy Act provision or agency rule that results in an adverse effect
Penalties include: Payment of actual damages Payment of reasonable attorney’s fees Removal from employment
5I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Safeguarding Requirements
Three Levels of Safeguards are Required: Administrative Physical Technical
These individuals are responsible for establishing safeguards: Information Technology System Designers Privacy Act System Managers Local Privacy Act Officials And you (all Airman)…
Remember: Remember: YOUYOU are responsible for ensuring that safeguards are applied!
6I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Remember:You may be subject to civil and criminal penalties for
violating the Privacy Act
If You Have Access to Personal Data...
Protect it at all times Do not share it with anyone unless:
The recipient is listed in Section (b) of the Privacy Act The subject of the record has given you written permission
to disclose it to the recipient
Password protect personal data placed on shared drives, the Internet, or the Intranet
Monitor your actions: For example, “If I do this, will I increase the risk of unauthorized access?”
7I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Tips for Avoiding Privacy Breaches…
Take privacy protection seriously
Respect the privacy of others
Report to your supervisor or other management official when you see personal data left unattended
Know the Privacy Act requirements. Refer to the following governing publications for additional guidance: AFI 33-332, Privacy Act Program, which implements DoDD 5400.11, DoD Privacy Program; and DoD 5400.11-R, DoD Privacy Program
Also, visit the following Web Sites:
http://www.dtic.mil/whs/directives/corres/html/540011.htm
http://www.foia.af.mil/Privacy
8I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Reporting Inappropriate Disclosures
Immediately notify: Your supervisor Your local Privacy Act Officer The Privacy Act System Manager And any other appropriate official of
the occurrence
For World Wide Web postings - make a note of where the information was posted by copying the Uniform Resource Locator (URL) The URL is the address listed at the
top of the screen. Most URLs begin http://www
9I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Air Force Freedom of Information Act (FOIA) and Privacy Act (PA) Points of Contact
For additional information, inquiries, and or questions, you may contact your base, MAJCOM, FOA, or DRU FOIA/PA Manager identified on the attached FOIA/PA listing
10I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Thank you for completing this
important educational
awareness briefing!
…there is more Privacy Act related information found in the back-up slides…Such as: purposes of The Privacy Act of 1974, key Privacy Act terminology, marking Privacy Act protected data, information on transporting Privacy Act protected data, storing Privacy Act protected data, disposing of Privacy Act protected data, sharing of Privacy Act protected data, information for telecommuters, and controlled unclassified information types and references
11I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Headquarters U. S. Air Force
Safeguarding of Personally
Identifying Information a.k.a. Privacy Act Data –
It is Your Duty!
Back-up Slides
12I n t e g r i t y - S e r v i c e - E x c e l l e n c e
The Privacy Act of 1974
The Privacy Act of 1974 is intended to balance the Government’s need for information against the individual’s right to privacy. Among it purposes, the Privacy Act of 1974 is intended to:
Give individuals access to records kept on them Allow individuals to correct errors in those records Limit information that is collected to what is relevant and
necessary Restrict access to personal information by third parties—
that is, to protect the privacy interests of the subject from any other person, with some exceptions
To provide remedies for non-compliance with the Privacy Act of 1974
13I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Key Privacy Act Terminology
The following are key terms used in Privacy Act discussions:
Record: Any item or collection of information about an individual which is maintained by an agency and which contains that person’s name or other identifying particulars
System of Records: A group of records under the control of an agency from which information is (not can be) retrieved by name of the individual or by some personal identifier
Personal Information: The types of information protected by the Privacy Act of 1974—distinguish from “official information” which is generally not protected Examples of “personal information” are: Social Security
number, martial status, number and sex of dependents, home of record, age and date of birth, home address, and telephone number
Examples of “official information” are: Name, military rank and date of rank, pay and special pay, military awards and decorations, and current assignment
14I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Marking Privacy Act Protected Data
Privacy Act protected data are to be handled as “For Official Use Only” (FOUO), see DoD 5200.1-R, Information Security Program, Appendix 3, located at this Web Site: http://www.dtic.mil/whs/directives/corres/html/52001r.htm
Mark Privacy Act protected data with a handling notice when it is created or received:
“For Official Use Only – Privacy Act of 1974” “For Official Use Only – Privacy Act Protected Data”
Place the FOUO marks at the top or bottom of each page or screen. Classified records are marked on both the top and bottom of the page as well as at each paragraph
Before disseminating Privacy Act protected data, make sure it carries the FOUO handling notice
15I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Transporting Privacy Act Protected Data
Using Ground Mail: Use brown or white envelopes to mail documents Never use “holey joes” or messenger-type envelopes You may double wrap the documents using an inner and outer
envelope, if you deem it appropriate Mark the envelope to the attention of an authorized recipient Never indicate on the outer envelope that the contents contain
Privacy Act protected data Hand-carrying:
When hand-carrying FOUO documents never leave the documents unattended
Ensure contents are properly covered (using AF IMT 3227, Privacy Act Cover Sheet) and or placed in an envelope to shield contents
Do not leave FOUO documents on a person’s desk, hand them to the recipient to ensure there is no unauthorized access
Using E-mail: Use Common Access Card procedures Announce in the opening line of text that you are relaying FOUO
material
16I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Storing Privacy Act Protected Data
Duty Hours Cover or place documents in an out-of-sight location when
those not authorized access enter the work space Use filtering devices on computer screens to blacken the view Lock computers when leaving – even for brief periods
After Duty Hours If the building is locked or manned by security, place records
in locked or unlocked drawer or cabinet Special categories of Privacy Act protected data should be
placed in locked receptacles
What are Some Special Categories of Privacy Act Data? Investigative Files Personnel Files Security Clearance Files Adverse Action Files Any category that, if released, would embarrass or harm the
subject
17I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Disposing of Privacy Act Protected Data
Use any reasonable means that prevents inadvertent compromise!
A disposal method is considered adequate if it renders the information unrecognizable or beyond reconstruction
Disposal methods may include: Tearing, burning, melting, chemical
decomposition, pulping, pulverizing, shredding (GSA-approved shredder), and mutilation
Recycling contracts are acceptable, if the documents are properly protected while in a destruction bin, protected in transit, and one of the above destruction methods is used by the contractor
18I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Sharing of Privacy Act Protected Data
Follow the “need-to-know” principle. Share only with those specific DoD employees who need the data to perform official, assigned duties
If the Privacy Act System Manager has granted you authority to make disclosures outside Department of Defense (DoD):
Share only with those individuals and entities outside DoD that are listed in the “Routine Use” clause of the governing Privacy Act System of Records Notice. Visit the following Web Site for DoD Privacy Act systems notices:
http://www.defenselink.mil/privacy/notices/
If you have doubts about sharing data, consult with your supervisor, the Privacy Act system manager, or your local Privacy Act Officer
19I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Information for Telecommuters
Paper Records: Place Privacy Act protected data in locked drawers, locked
briefcases, or other secure areas where family/household members, visitors, or intruders cannot access it
Electronic Records: Use password protection protocols. Do not share your password Do not store Privacy Act protected data on disks, CDs, USB
flashdrives, memory sticks, flashcards, or other media without proper security protections or authorization
Do not use wireless computer technology without following the proper security protocols
20I n t e g r i t y - S e r v i c e - E x c e l l e n c e
For Official Use Only (FOUO): FOUO is not a security classification. It is derived from the Freedom of
Information Act, which prohibits the automatic release of information to the public. Use FOUO only when necessary. References: DoD 5200.1-R, Appendix 3, paragraph AP 3.2
Privacy Act Requires agencies to publish descriptions of systems of records containing
personal information. References: DoD 5400.11 and DoD 5400.11-R, DoD Privacy Program; and AFI 33-332, Privacy Act Program
Scientific & Technical Information (STINFO): Information relating to research, development, engineering, testing, evaluation, production, operation, use, and maintenance for military products, services, etc. Reference: AFI 61-204, Disseminating Scientific & Technical Information
Controlled Unclassified Information Types and References
21I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Export Control: The U.S. Government controls exports of sensitive equipment, software, and
technology as a means to promote our national security interests and foreign policy objectives. Reference: DoD Directive 5230.25, Withholding of Unclassified Technical Data From Public Disclosure
Unclassified Controlled Nuclear Information (UCNI): Department of Energy (DOE) UCNI:
Unclassified facility design information, operational information concerning the production, processing or utilization of nuclear materials for atomic energy defense programs, safeguards and security, information, nuclear materials and declassified controlled nuclear weapon information previously classified as Restricted Data
Unclassified information about security measures (including security plans, procedures, and equipment) for the physical protection of DoD Special Nuclear
Material, equipment, or facilities
Additional References are: AFPD 31-4, Information Security, which mandates the policy for protecting
sensitive Air Force information AFI 31-401, Information Security Program Management, which prescribes and
explains how to manage and protect unclassified controlled information and classified information
Controlled Unclassified Information Types and References (Cont’d.)