How To Engage Students in Active Learning

1
Federal Requirements for Personal Information
Protection
Metropolitan New York City Chapter ARMA
International May 11, 2009
Virginia A Jones, CRM, FAI Records
Manager Newport News Dept. of Public Utilities
2
Learning Objectives

• Upon completion of this session, participants
  will be able to
• Identify U.S. federal personal information
  privacy and protection laws and the purpose of
  each
• Identify the key requirements of each U.S.
  federal personal information privacy and
  protection law and to what type of government or
  business entity it applies
• Outline specific and clearly implied RIM
  requirements of key information privacy and
  protection laws

3
Introduction

• More than 79 million records reported compromised
  in the U.S. in 2007 Identity Theft Resource
  Center.
• Federal laws require organizations to be
  responsible for privacy of certain records and
  data.

Associated Press/Daily Press, December 31, 2007
4
Who needs information privacy?

• Citizens
• Employees
• Customers/consumers
• Medical care recipients

5
What information is private?

• Definition of personally identifiable
  information varies slightly from law to law
• All based on FTC definition
• Data that can be linked to specific individuals,
  and includes but is not limited to such
  information as name, postal address, phone
  number, e-mail address, social security number
  and drivers license number.
• Also can include medical information, financial
  information, educational records, and religious
  affiliation.

6
Social Security Number

• Most overused PII
• Established in 1935 to aid in contribution toward
  a national retirement fund
• Eventually became accurate method of uniquely
  identifying individuals
• At least 5 federal laws restrict use or
  disclosure of SSN

7
What is privacy?

• Information privacy
• Bodily privacy
• Territorial privacy
• Communications privacy

Information Privacy, Swire Bermann,
International Association of Privacy
Professionals, 2007
8
Information Privacy

• Directly related to life cycle of records and
  information
• Records creation, either specific or implied
• File management
• Records protection
• Records access
• Records retention/disposition

9
Information Privacy

• Responsibility of Records Management
• RM should be aware of pertinent laws and
  requirements of those laws
• RM should also be aware of any pertinent Rules or
  Regulations generated under the authority of the
  laws

10
Federal Laws

• Reference or set definitions for several RIM
  terms
• Record(s)
• System of records or record keeping system
• Record keeping

11
Federal Laws

• Public Law results in changes to U.S. Code.
• Code of Federal Regulations (CFR) contain the
  rules and regulations generated under the
  authority of a law.

12
Federal Laws

• Models of data protection
• Comprehensive laws
• Sectoral laws
• Co-regulatory model
• Self-regulatory model
• Information Privacy, Swire Bermann,
  International Association of Privacy
  Professionals, 2007
• U.S. takes a sectoral and self-regulatory
  approach to privacy legislation and protection

13
Federal Laws

• At least 28 federal laws set privacy and data
  protection requirements
• What can be collected
• How it can be used
• How and where it can be disseminated
• Rights of data subjects
• Penalties if not in compliance or privacy is
  breached

14
Federal Laws

• Many based on requirements set by Privacy Act of
  1974
• Some developed after deliberate misuse of data
• Several developed and passed as reaction to data
  breaches with severe consequences

15
Federal Laws

• Laws pertain to particular private or government
  sectors
• Each organization must determine which laws
  pertain to them
• Many states have adopted laws similar to Federal
  laws for compliance by state and local government

16
Appendix AU.S. Federal Privacy Legislation
Overview
17
Childrens Online Privacy Protection Act (COPPA)
1998

• Targets online data collection practices
• Six basic requirements
• Commercial websites or online services must
  comply with the requirements
• Restricts collection and maintenance of personal
  information
• Children's Online Privacy Protection Rule, 16CFR
  Part 312

18
E-Government Act 2002

• Public Law 107-347
• Establishes a Federal Chief Information Officer
  within the Office of Management and Budget, and
  establishes measures that require using
  internet-based information technology to enhance
  citizen access to Federal Government information
  and services.
• OMB M03-22 Guidance for Implementing the Privacy
  Provisions of the E-Government Act September
  2003
• Assists agencies in implementing the privacy
  provisions of the E-Gov Act

19
Electronic Communications Privacy Act 1986

• Title I - Wire And Electronic Communications
  Interception And Interception Of Oral
  Communications (1968) (Federal Wiretap Statute)
• Title II - Stored Electronic Communications
  Privacy Act (1986)
• Title III Pen Register and Trap Trace Device
  Statute (1988) (Pen/Trap Statute)

20
Fair Credit Reporting Act

• Fair Credit Reporting Act (FCRA) (1970)
• addresses use and disclosure of an individual's
  credit report information including the use of
  credit report information by employers in making
  employment decisions
• Fair and Accurate Credit Transactions Act (FACTA)
  (2003) (amends FCRA)
• Governs opt-out notices, use of credit report
  information by employers in making employment
  decisions, and disposal of consumer credit
  information

21
Financial Services Modernization Act 1999 (aka
Gramm-Leach-Bliley Act)

• Governs the privacy and security of personal
  financial information
• Applies to financial institutions
• Privacy Of Consumer Financial Information, 16 CFR
  Part 313

22
Foreign Intelligence Surveillance Act 1978
(amended 2008)

• Governs the government's authority to conduct
  electronic surveillance to acquire foreign
  intelligence information from a foreign power,
  agent of a foreign power, and, under certain
  circumstances, a United States person.
• Sets surveillance limitations and establishes a
  special court

23
Health Insurance Portability Accountability Act
(HIPAA) 1996

• Governs the disclosure of protected health
  information
• Applies to health plans, health care
  clearinghouses, and health care providers
• National Standards to Protect the Privacy of
  Personal Health Information, 45CFR Parts 160,
  162, 164
•  Security Standards for the Protection of
  Electronic Protected Health Information, 45CFR
  Parts 160 164
•  Electronic Transactions and Code Set Standards,
  45CFR Part 162

24
Privacy Act 1974 amended 2004(Part of the
Freedom of Information Act)

• Governs third party access to personal
  information maintained by the federal government
• Only pertains to Federal Executive Branch
• Federal Agency Responsibilities for Maintaining
  Records About Individuals, Appendix I to OMB
  Circular No. A-130 Revised 1996

25
Safe Harbor Data Privacy Framework 2000

• Governs transfer of personal information between
  the E.U. and third countries
• Framework of data protection principles
• Privacy Policy
• Self-Certification Process
• Applies to any organization subject to FTC
  jurisdiction wanting to do business with E.U.,
  U.S. air carriers and ticket agents subject to
  Dept. of Transportation
• Alternative Standard Contractual Clauses

26
Uniting Strengthening America by Providing
Appropriate Tools Required to Intercept
Obstruct Terrorism Act (a.k.a. USA Patriot Act
)2001, amended 2006

• Amends a number of statutes
• Governs the deterrent and punishment of terrorist
  acts in the United States and around the world
  and enhances law enforcement investigatory tools.
• Applies to law enforcement and businesses that
  provide financial and communications services

27
Resources

• Federal Requirements for Personal Information
  Protection ARMA International Educational
  Foundation http//www.armaedfoundation.org/
• THOMAS Library of Congress http//thomas.loc.gov
  /
• Legal Information Institute Cornell University
  Law School http//www.law.cornell.edu/uscode/
• Privacy Rights Clearinghouse http//www.privacyrig
  hts.org/

28
Download free copy of paper from AIEF site
at http//www.armaedfoundation.org/reports.php