Personally Identifying Information The Privacy Act of 1974, as amended, is a Federal law that requires personally identifying information in the custody of the Federal Government about American citizens or approved permanent residents of the United States to be protected from unauthorized disclosure. In passing this law, Congress created a balance between individuals right to privacy and the governments need to maintain information about individuals. Privacy information is not just name, date and place of birth, address, and phone number. It includes social security number, payroll number, mothers maiden name, religion, race, information on education, financial and credit data, medical history including results of drug testing, criminal and employment history, work performance ratings, leave balances, types of leave taken, and names of employees who hold government-issued travel cards. To protect personally identifying information, now often called PII, the Privacy Act requires all executive branch agencies to follow certain procedures when: collecting personal information; creating databases containing personal identifiers; maintaining databases containing personal identifiers; disseminating information containing personal data. Government Contractors PII in the custody of government contractors is not covered by the Privacy Act unless the contractor is performing on a contract under which the contractor is provided access to or custody of such information by the Federal Government. Under this condition, the law would apply to contractor personnel as it applies to government personnel. Government contractors in most states are subject to state privacy laws that require companies to protect privacy information as defined by state law. Statutory/Regulatory Responsibilities & Obligations System of Records Notice (SORN) Whenever a federal agency maintains a set of information about individuals from which it can retrieve information by some personal identifier such as a name, social security number, or employee number, this collection of information is what the Privacy Act calls a system of records. Before a federal agency can begin to collect personal information for a new system of records, it must go through a complex process that often takes as long as four months. This includes a Privacy Impact Analysis (PIA) and System of Records Notice (SORN) which must be approved and then published in the Federal Register. The SORN is then open for public comment for 40 days.1 The SORN must include the lowing information: name and location of the system; categories of individuals on whom records are maintained in the system; ategories of records maintained in the system; legal authority for maintaining the system; the purposes for which the system will be used. For each type of routine use, the categories of users and their purpose of such use; policies and practices of the agency regarding storage, retrievability, access controls, retention, and disposal of the records; title, name, and business address of the agency official who is responsible for the system of records; agency procedures to notify an individual, at his request, if the system of records contains a record pertaining to him, how to gain access to any record pertaining to him, and how to contest the content of any such record; categories of sources of the records in the system. Safeguarding Privacy Act Information The law does not specify specific marking or safeguarding requirements. It does require that each government agency that establishes a system of records containing privacy information also establishes appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity… Individual agencies establish their own procedures for marking, storing, transporting, and disposing of PII. Agencies typically require: that PII be stored in filing cabinets or other containers that prevent unauthorized access; that it be clearly marked as Controlled Unclassified Information or with some other approved marking both on paper and on electronic media; that email containing PII must be encrypted and must clearly identify the PII material. that information transported by hand be shielded by a cover sheet; information sent by ground mail should be addressed to a known person, and the outer envelope should not indicate the presence of sensitive information. that information no longer needed be disposed of in a manner that renders the information unrecognizable and beyond reconstruction. Individual Rights When a federal agency solicits any PII about an individual for any system of records, it must tell the individual in writing: the statute or executive order of the President that authorizes the agency to solicit this information; the principal purposes for which the information is intended to be used; the routine uses which may be made of the information as announced in the Federal Register; and whether the disclosure of the information is mandatory or voluntary; and the effects, if any, on the individual for not providing the information. Individuals are usually entitled to access to their own records. The announcement of the system of records in the Federal Register provides the address an individual may use to request access to his or her records, and the government must provide this access either in person or by mail. If an individual believes the information in the record is in error, a formal process is available for requesting correction of the record and for appeal if the manager of the record system refuses to make changes. Access to Privacy Information The Privacy Act requires government departments and agencies to develop rules of conduct and training for personnel with access to privacy records. It also requires all departments and agencies to promulgate rules regarding circumstances under which an individual has a right to see his or her own records. The Privacy Act lists 12 circumstances under which privacy information may be communicated to other persons without the prior written consent of the individual to whom the record pertains. These include any disclosure required to be released under the Freedom of Information Act, information disclosed to another agency for civil or criminal law enforcement purpose, disclosure to either house of Congress, and disclosure mandated by court order. Any other communication of privacy information requires a written request and the prior written consent of the individual to whom the record pertains. Loss of Information If you have reason to suspect that PII has been deliberately or accidentally compromised or lost, you must report this immediately to an appropriate authority in your organization. Organizations must take immediate action to notify all individuals whose personal information may have been lost or compromised. The loss of PII can result in substantial harm, embarrassment, and inconvenience to individuals or organizations and may lead to identity theft or other fraudulent use of the information. Immediate reporting may enable individuals or organizations to take protective or remedial action to contain the damage. Unfortunately, there have been a number of recent cases in which thousands, even hundreds of thousands, of PII records have been compromised through a breach of computer security or loss of a laptop computer with such information. Compromise of PII on a single individual may occur through carelessness, ignorance, and accident. Civil and criminal penalties for compromise of PII are described below. Penalties The Privacy Act provides for both civil and criminal penalties for violation of this act. The criminal penalty is a misdemeanor charge and fine of up to $5,000 for knowing and willfully: obtaining records under false pretenses; willfully disclosing PII data to any person not entitled to access; maintaining a system of records without meeting public notice requirements. Courts may also award civil penalties for: unlawfully refusing to amend a record; unlawfully refusing to grant access to a record; failure to maintain accurate, relevant, timely, and complete information; failure to comply with any Privacy Act provision or agency rule when the result is an adverse effect on the subject of the record. Penalties for these violations include actual damages, payment of reasonable attorneys fees, and removal from employment. Legal & Regulatory Authorities Title 5 USC 552a – Records Maintained on Individuals (Privacy Act) Title 12 USC 3417 -- Civil Penalties Title 18 USC 1905 – Disclosure of Confidential Information Generally Title 41 CFR 201-6.1 – Federal Information Resources Management Regulation E.O. 12564 – Drug Free Federal Workplace OMB Circular No. A-130 – Management of Federal Information Resources, Appendix 1, Federal Agency Responsibilities for Maintaining Records About Individuals. P.L. 100-71 – The Supplemental Appropriations Act of 1987, Section 503. P.L. 104-13 - Paperwork Reduction Act of 1955. 1. USAID, Filing a System of Records Notice: Process and Procedures, at usaid.gov/policy/ads/500/508maa.pdf. Also Department of the Navy, Privacy Office, Guidelines for Establishing a New Privacy Act System of Records Notice, at privacy.navy.mil/tools/guidelines.pdf. HOME | CONTROLLED UNCLASSIFIED CONTENTS | TOP OF PAGE | HELP INFORMATION | CONDUCT | THREATS | TECH VULNERABILITY | ASSISTANCE ESPIONAGE 101 | TERRORISM 101
Posted on: Mon, 11 Nov 2013 12:20:01 +0000
Trending Topics
Recently Viewed Topics
© 2015