I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Headquarters U.S. Air Force

Safeguarding of Personally Identifying Information

a.k.a. Privacy Act Data – It is Your Duty!

Privacy Act Educational Awareness for

all Air Force Employees –

Military Members, Civilians, Air Force Reserve, Air National Guard, & Contractors

2I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Why You are Being Asked to Take this Educational Awareness Now…

In a number of recent incidents, personal data has been lost, stolen, or compromised

The Office of Management and Budget (OMB), the Federal entity responsible for overseeing the Privacy Act (PA), has mandated that the Federal workforce complete this educational awareness briefing

Because personal information is handled by a wide number of Air Force offices, it is imperative that all personnel understand and apply guidance on the proper handling of this sensitive information

To preclude YOU or a member of your staff from being the subject of an

investigation

3I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Criminal Penalties for Noncompliance with the Privacy Act

For knowingly and willfully disclosing Privacy Act protected data to any person not entitled to access: Misdemeanor criminal charge, and a fine of up to

$5,000 per incident

For maintaining a System of Records without meeting the public notice requirements: Misdemeanor criminal charge, and a fine of up to

$5,000

For knowingly and willfully requesting or obtaining records under false pretenses: Misdemeanor criminal charge, and a fine of up to

$5,000

4I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Civil Penalties for Noncompliancewith the Privacy Act

The Privacy Act also imposes civil penalties on violators (normally the agency) who: Unlawfully refuse to amend a record Unlawfully refuse to grant access to records Fail to maintain accurate, relevant, timely and complete data Fail to comply with any Privacy Act provision or agency rule that results in an adverse effect

Penalties include: Payment of actual damages Payment of reasonable attorney’s fees Removal from employment

5I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Safeguarding Requirements

Three Levels of Safeguards are Required: Administrative Physical Technical

These individuals are responsible for establishing safeguards: Information Technology System Designers Privacy Act System Managers Local Privacy Act Officials And you (all Airman)…

Remember: Remember: YOUYOU are responsible for ensuring that safeguards are applied!

6I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Remember:You may be subject to civil and criminal penalties for

violating the Privacy Act

If You Have Access to Personal Data...

Protect it at all times Do not share it with anyone unless:

The recipient is listed in Section (b) of the Privacy Act The subject of the record has given you written permission

to disclose it to the recipient

Password protect personal data placed on shared drives, the Internet, or the Intranet

Monitor your actions: For example, “If I do this, will I increase the risk of unauthorized access?”

7I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Tips for Avoiding Privacy Breaches…

Take privacy protection seriously

Respect the privacy of others

Report to your supervisor or other management official when you see personal data left unattended

Know the Privacy Act requirements. Refer to the following governing publications for additional guidance: AFI 33-332, Privacy Act Program, which implements DoDD 5400.11, DoD Privacy Program; and DoD 5400.11-R, DoD Privacy Program

Also, visit the following Web Sites:

http://www.dtic.mil/whs/directives/corres/html/540011.htm

http://www.foia.af.mil/Privacy

8I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Reporting Inappropriate Disclosures

Immediately notify: Your supervisor Your local Privacy Act Officer The Privacy Act System Manager And any other appropriate official of

the occurrence

For World Wide Web postings - make a note of where the information was posted by copying the Uniform Resource Locator (URL) The URL is the address listed at the

top of the screen. Most URLs begin http://www

9I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Air Force Freedom of Information Act (FOIA) and Privacy Act (PA) Points of Contact

For additional information, inquiries, and or questions, you may contact your base, MAJCOM, FOA, or DRU FOIA/PA Manager identified on the attached FOIA/PA listing

10I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Thank you for completing this

important educational

awareness briefing!

…there is more Privacy Act related information found in the back-up slides…Such as: purposes of The Privacy Act of 1974, key Privacy Act terminology, marking Privacy Act protected data, information on transporting Privacy Act protected data, storing Privacy Act protected data, disposing of Privacy Act protected data, sharing of Privacy Act protected data, information for telecommuters, and controlled unclassified information types and references

11I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Headquarters U. S. Air Force

Safeguarding of Personally

Identifying Information a.k.a. Privacy Act Data –

It is Your Duty!

Back-up Slides

12I n t e g r i t y - S e r v i c e - E x c e l l e n c e

The Privacy Act of 1974

The Privacy Act of 1974 is intended to balance the Government’s need for information against the individual’s right to privacy. Among it purposes, the Privacy Act of 1974 is intended to:

Give individuals access to records kept on them Allow individuals to correct errors in those records Limit information that is collected to what is relevant and

necessary Restrict access to personal information by third parties—

that is, to protect the privacy interests of the subject from any other person, with some exceptions

To provide remedies for non-compliance with the Privacy Act of 1974

13I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Key Privacy Act Terminology

The following are key terms used in Privacy Act discussions:

Record: Any item or collection of information about an individual which is maintained by an agency and which contains that person’s name or other identifying particulars

System of Records: A group of records under the control of an agency from which information is (not can be) retrieved by name of the individual or by some personal identifier

Personal Information: The types of information protected by the Privacy Act of 1974—distinguish from “official information” which is generally not protected Examples of “personal information” are: Social Security

number, martial status, number and sex of dependents, home of record, age and date of birth, home address, and telephone number

Examples of “official information” are: Name, military rank and date of rank, pay and special pay, military awards and decorations, and current assignment

14I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Marking Privacy Act Protected Data

Privacy Act protected data are to be handled as “For Official Use Only” (FOUO), see DoD 5200.1-R, Information Security Program, Appendix 3, located at this Web Site: http://www.dtic.mil/whs/directives/corres/html/52001r.htm

Mark Privacy Act protected data with a handling notice when it is created or received:

“For Official Use Only – Privacy Act of 1974” “For Official Use Only – Privacy Act Protected Data”

Place the FOUO marks at the top or bottom of each page or screen. Classified records are marked on both the top and bottom of the page as well as at each paragraph

Before disseminating Privacy Act protected data, make sure it carries the FOUO handling notice

15I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Transporting Privacy Act Protected Data

Using Ground Mail: Use brown or white envelopes to mail documents Never use “holey joes” or messenger-type envelopes You may double wrap the documents using an inner and outer

envelope, if you deem it appropriate Mark the envelope to the attention of an authorized recipient Never indicate on the outer envelope that the contents contain

Privacy Act protected data Hand-carrying:

When hand-carrying FOUO documents never leave the documents unattended

Ensure contents are properly covered (using AF IMT 3227, Privacy Act Cover Sheet) and or placed in an envelope to shield contents

Do not leave FOUO documents on a person’s desk, hand them to the recipient to ensure there is no unauthorized access

Using E-mail: Use Common Access Card procedures Announce in the opening line of text that you are relaying FOUO

material

16I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Storing Privacy Act Protected Data

Duty Hours Cover or place documents in an out-of-sight location when

those not authorized access enter the work space Use filtering devices on computer screens to blacken the view Lock computers when leaving – even for brief periods

After Duty Hours If the building is locked or manned by security, place records

in locked or unlocked drawer or cabinet Special categories of Privacy Act protected data should be

placed in locked receptacles

What are Some Special Categories of Privacy Act Data? Investigative Files Personnel Files Security Clearance Files Adverse Action Files Any category that, if released, would embarrass or harm the

subject

17I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Disposing of Privacy Act Protected Data

Use any reasonable means that prevents inadvertent compromise!

A disposal method is considered adequate if it renders the information unrecognizable or beyond reconstruction

Disposal methods may include: Tearing, burning, melting, chemical

decomposition, pulping, pulverizing, shredding (GSA-approved shredder), and mutilation

Recycling contracts are acceptable, if the documents are properly protected while in a destruction bin, protected in transit, and one of the above destruction methods is used by the contractor

18I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Sharing of Privacy Act Protected Data

Follow the “need-to-know” principle. Share only with those specific DoD employees who need the data to perform official, assigned duties

If the Privacy Act System Manager has granted you authority to make disclosures outside Department of Defense (DoD):

Share only with those individuals and entities outside DoD that are listed in the “Routine Use” clause of the governing Privacy Act System of Records Notice. Visit the following Web Site for DoD Privacy Act systems notices:

http://www.defenselink.mil/privacy/notices/

If you have doubts about sharing data, consult with your supervisor, the Privacy Act system manager, or your local Privacy Act Officer

19I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Information for Telecommuters

Paper Records: Place Privacy Act protected data in locked drawers, locked

briefcases, or other secure areas where family/household members, visitors, or intruders cannot access it

Electronic Records: Use password protection protocols. Do not share your password Do not store Privacy Act protected data on disks, CDs, USB

flashdrives, memory sticks, flashcards, or other media without proper security protections or authorization

Do not use wireless computer technology without following the proper security protocols

20I n t e g r i t y - S e r v i c e - E x c e l l e n c e

For Official Use Only (FOUO): FOUO is not a security classification. It is derived from the Freedom of

Information Act, which prohibits the automatic release of information to the public. Use FOUO only when necessary. References: DoD 5200.1-R, Appendix 3, paragraph AP 3.2

Privacy Act Requires agencies to publish descriptions of systems of records containing

personal information. References: DoD 5400.11 and DoD 5400.11-R, DoD Privacy Program; and AFI 33-332, Privacy Act Program

Scientific & Technical Information (STINFO): Information relating to research, development, engineering, testing, evaluation, production, operation, use, and maintenance for military products, services, etc. Reference: AFI 61-204, Disseminating Scientific & Technical Information

Controlled Unclassified Information Types and References

21I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Export Control: The U.S. Government controls exports of sensitive equipment, software, and

technology as a means to promote our national security interests and foreign policy objectives. Reference: DoD Directive 5230.25, Withholding of Unclassified Technical Data From Public Disclosure

Unclassified Controlled Nuclear Information (UCNI): Department of Energy (DOE) UCNI:

Unclassified facility design information, operational information concerning the production, processing or utilization of nuclear materials for atomic energy defense programs, safeguards and security, information, nuclear materials and declassified controlled nuclear weapon information previously classified as Restricted Data

Unclassified information about security measures (including security plans, procedures, and equipment) for the physical protection of DoD Special Nuclear

Material, equipment, or facilities

Additional References are: AFPD 31-4, Information Security, which mandates the policy for protecting

sensitive Air Force information AFI 31-401, Information Security Program Management, which prescribes and

explains how to manage and protect unclassified controlled information and classified information

Controlled Unclassified Information Types and References (Cont’d.)