Privacy Training for IT Professionals DOI University

1
Privacy Training for IT ProfessionalsDOI
University
2

Privacy Training for IT ProfessionalsIntroduction
Why do I need privacy training?
3
Privacy Training for IT ProfessionalsWhy Privacy
Training?

• Persons who are involved in the design,
  development, operation, or maintenance of a
  system of records, or in maintaining any record
  must be instructed in the rules and requirements
  of the Privacy Act . (5 USC 552a(e)(9)
  of the Privacy Act)

4
Privacy Training for IT ProfessionalsWhy Privacy
Training?

• The individuals right to privacy must be
  protected in Federal Government information
  activities involving personal information.
• (OMB Circular A-130 Management of Federal
  Information Resources, Basic Considerations and
  Assumptions Sec. 7.g.)

5
Privacy Training for IT ProfessionalsWhy Privacy
Training?

• The increasing use of computers and
  sophisticated information technology, while
  essential to the efficient operations of the
  Government, has greatly magnified the harm to
  individual privacy that can occur from any
  collection, maintenance, use, or dissemination of
  personal information.
• (5 U.S.C. 552a Section 2(a)(2) of the Privacy
  Act).

6
Privacy Training for IT ProfessionalsWhy Privacy
Training?

• The purpose of this section is to ensure
  sufficient protections for the privacy of
  personal information as agencies implement
  citizen-centered electronic Government.
• (Section 208 of the E-Government Act of 2002)

7
Privacy Training for IT ProfessionalsObjectives

• This training is meant to help those handling
  information on individuals understand
• Government privacy requirements that apply to
  that information, and
• Their roles and responsibilities in handling that
  information.

8

Privacy Training for IT ProfessionalsOverview

• Topic I Government Privacy
  Requirements
• Topic II E-Government Act of 2002
• Web Requirements
• Topic III Privacy and OMB Exhibit 300s
• Topic IV Privacy Impact Assessments
• Topic V Life Cycle Management (LCM)
• Topic VI FISMA Reviews

9

Privacy Training for IT ProfessionalsOverview

• Topic VII Case Studies
• Topic VIII Roles and Responsibilities
• Topic IX Additional Training

10
Topic I Government Privacy Requirements
11
Why the Emphasis on Privacy and Electronic
Information Now?

• Surveys show that people have increasing become
  concerned with the loss of control over their
  information
• In order for Electronic Government to succeed,
  individuals must have confidence and trust in the
  Governments handling of their information
  through electronic services.

12
Why the Emphasis on Privacy and Electronic
Information Now?
According to the Excellence in Government Report
on E-Government (April 2003), privacy is part of
the equation for the success of E-Government
Ease, Engagement, Privacy and
Protection
13
The World of Government Privacy - 2005 Broad and
Diverse
14
Government Privacy Policy Framework
Privacy Act
OMB A-130
Computer Matching
OMB A-11
FOIA
OMB M-99-18
FISMA and Privacy Management Reporting OMB
M-05-15
E-Gov Act
OMB M-00-13
FISMA
OMB M-03-22
HIPAA
OMB M-05-15
OMB M-05-24 (HSPD-12)
Consolidated Appropriations Act of 2005
FISMA now requires agencies to demonstrate in
their reporting activities compliance with three
decades worth of federal privacy laws and
Government requirements.
15
Government Privacy Policy Framework

• The Computer Matching and Privacy Protection Act
  of 1987
• Requirements when comparison of Privacy Act
  databases
• The Freedom of Information Act
• Exemption 6 and 7(C)
• The E-Government Act of 2002
• Section 208 of the E-Government Act of 2002
  requires privacy provisions for databases and
  websites. Privacy Impact Assessments are to be
  used to build in privacy in IT systems.

16
Government Privacy Policy Framework

• The Federal Information Security
• Management Act of 2002
• - Improving the security and privacy of
  sensitive information in Federal computer
  systems.
• Health Insurance Portability and Accountability
  Act of 1996
• - Standards for handling of medical
  information
• The Consolidated Appropriation Act of 2005
• Several provisions related to privacy require a
  Privacy Officer, privacy and data protection
  procedures and policies, and independent
  third-party reviews

17
Government Privacy Policy Framework

• The Paperwork Reduction Act of 1995 (As amended
  by the Clinger-Cohen)
• Addresses authority and procedures to collect
  information from individual members of the public
  and Privacy Act compliance.
• The Paperwork Elimination Act of 1998
• Federal agencies must allow individuals the
  option to submit information or transact with the
  agency electronically, when practicable, and to
  maintain records electronically, when
  practicable. Requires analysis of privacy
  impact.

18
Government Privacy Policy Framework

• Office of Management and Budget (OMB) Circular
  A-130, Appendix I Agency Responsibilities for
  Maintaining Information About Individuals
• OMB Circular A-11 Budget Submissions (Sec. 53
  on Info Technology and E-Gov
• OMB Circular A-16 Coordination of Geographic
  Information. See sections on protecting privacy
  in GIS info.
• OMB Circular A-123
• Management Accountability - compliance with
  federal laws

19
Government Privacy Policy Framework

• OMB Memorandum M-99-18, Privacy Policies on
  Federal Web Sites (June 2, 1999)
• OMB Memorandum M-00-13, Privacy Policies and Data
  Collection on Federal Web Sites
• (June 22, 2000)
• M-03-22, OMB Guidance for Implementing the
  Privacy Provisions of theE-Government Act of
  2002 (September 30, 2003)

20
Government Privacy Policy Framework

• OMB Memorandum, M-05-15, FY 2005 Reporting
  Instructions for the Federal Information Security
  Management Act and Agency Privacy Management
  (June 13, 2005)
• OMB Memorandum, M-05-24, Implementation of
  Homeland Security Presidential Directive (HSPD)
  12 Policy for a Common Identification Standard
  for Federal Employees and Contractors (August 5,
  2005)

21
Departmental Privacy Policy Framework

• Previous Government Statutes and Requirements
• Departmental Privacy Act Regulations (43 CFR 2.45
  2.79)
• Departmental Privacy Act Manual
• Sections 383 DM 1-13
• CIO Bulletins and Memos
  

22
Departmental Privacy Policy Framework

• DOI Privacy Act Regulations and Manual Sections
  (including a subject index of both) are included
  in the CD handout.
• DOI and Government references are also available
  on the Interior Privacy Program Website at
  www.doi.gov/ocio/privacy.
  

23
This Government Privacy Policy Framework Applies
to

• Information on individuals (United States
  citizens, and lawfully admitted permanent
  residents)
• Does not apply to information about persons
  representing
• Businesses, governments, or organizations,
• Does not apply to statistical information not
  linked to the individuals name or unique
  identifier

24
Government Privacy Policy Applies to -

• Paper Records
• Databases
• Intra and Inter-Agency Data Sharing
• Agency Records in any Format
• Data Warehouses
• Websites and Portals
• New Technology
• (e.g., GIS, Wireless)

25
The Privacy Act Foundation of Privacy Framework

• The Act focuses on four basic policy objectives
• To restrict disclosure of personally identifiable
  records maintained by Executive agencies
• To grant individuals increased rights of access
  to agency records maintained on themselves
• To grant individuals the right to seek amendment
  of agency records that are not accurate,
  relevant, timely, or complete and
• To establish a code of "fair information
  practices"

26
Fair Information Practices --

• Code to regulate the
• Collection
• Maintenance
• Use, and
• Dissemination of personal information on
  individuals
• Provides CONTROLS and assurances through the LIFE
  CYCLE of information management.

27
The Privacy Act Broad in Scope

• Accountability
• Identifying Purposes
• Consent
• Limiting Collection
• Limiting Use, Disclosure, Retention
• Accuracy
• Publishing Notices

• Safeguards
• Openness
• Individual Access
• Challenging Compliance

28
The Privacy Act An Overview

• It covers information on individuals that is in a
  system of records.
• This is any group of any records from which
  information is retrieved by the name of an
  individual or by some other identifying
  particular that can link the information to an
  individual.

29
The Privacy Act An Overview

• Retrieved vs Retrievable
• OMB guidelines explain that a system of records
  exists if
• (1) There is an indexing or retrieval
  capability using identifying particulars built
  into the system, and
• (2) The agency does in fact retrieve records
  about individuals by references to some personal
  identifier

30
The Privacy Act An OverviewCollecting
Information

• Government employees must follow certain legal
  requirements to collect information from
  individuals.
• - If you wish to collect the same information
  from 10 or more members of the public you will
  need to contact your bureau/office Information
  Collection Clearance Officer.
• - Office of Management and Budget approvals may
  be required for such collections. These
  requirements apply to information collected from
  websites as well.

31
The Privacy Act An Overview Collecting
Information

• Other Privacy Act requirements which must be
  considered before collecting information from
  individuals include
• Collecting the information directly from the
  subject of the file, and
• Providing a Privacy Act notification statement on
  the form collecting the information (again this
  also applies to Internet forms).

32
The Privacy Act An Overview Collecting
Information

• Minimization Principle
• Only maintain information about an individual
  that is relevant and necessary to accomplish a
  purpose of the agency required to be accomplished
  by statute or by Executive Order of the
  President.
• Cant stockpile information that is not
  necessary now but may be of use in the future.
• Cant collect information you dont have a legal
  authority to collect.

33

The Privacy Act An Overview Collecting Social
Security Numbers

• Does the Privacy Act allow agencies
• to collect of Social Security Numbers?
•  
• The collection of the SSN must be
• Required by law, or
• Required before January 1, 1975

34

The Privacy Act An OverviewNotification
Requirements

• Before you collect information that will create a
  new Privacy Act system of records, or change
  another, you must publish a notice in the Federal
  Register . This is called a Privacy Act system
  of records notice.
• Published notices that cover the Privacy Act
  records maintained by the Department are posted
  on the Departments Privacy Program Website and
  can be viewed at the Government Printing Office
  website.

35
The Privacy Act An OverviewNotification
Requirements

• These notices are
• important resources
• for the public. They
• provide information
• on the purpose of the
• system and how it will
• be maintained and
• used.

36
The Privacy Act An OverviewNotification
Requirements

• DOI employees should use these notices as
  guidelines when making decisions about
  information from Privacy Act systems of records.
• If you make decisions about information from
  Privacy Act systems, do you have a copy of the
  applicable Privacy Act notice to identify the
  restrictions on the information?

37

The Privacy Act An OverviewFederal Records Act
Requirements

• All Privacy Act records are required to have a
  records disposition schedule and are subject to
  Federal Records Act (FRA) requirements for paper
  and electronic records.

38
The Privacy Act An OverviewFederal Records Act
Requirements

• This FRA information is published in the Privacy
  Act system of records notice in the Federal
  Register. It is also identified in the Exhibit
  300 and Privacy Impact Assessment.
• There are circumstances that may freeze the
  requirements to dispose of information as
  required by the FRA and the Privacy Act.

Speak to your Records Manager about current policy
39
The Privacy Act An OverviewDisclosure
Restrictions

The Privacy Act limits and defines the disclosure
of personal information by an agency. Most
employees have access to or manage some
information from a Privacy Act system of records.
Often we receive inquiries or requests for the
information that we have in our possession or
have access to.
40
What are Privacy Act Requirements?

The Privacy Act An OverviewDisclosure
Restrictions

• The Privacy Act instructs that we cannot
  disclose by any means of communication (e.g.,
  conversationally or by email) any information
  from a Privacy Act system of records without a
• (1) Written request from or
• (2) Prior written consent from the individual to
  whom the record pertains.

41
The Privacy Act An OverviewDisclosure
Restrictions

However, the Privacy Act allows for certain
exceptions to this no release without consent
rule. The following are the 12 exceptions
allowed by the Privacy Act (5
U.S.C. 552a(b)).

42
The Privacy Act An OverviewDisclosure
Restrictions

No written request or consent is required when
release is (1)To Departmental employees who
have legitimate need for the record in the
performance of their duties (2) Required by the
Freedom of Information Act ( a FOIA must be in
hand) (3) For a routine use identified in the
Federal Register notice
43
The Privacy Act An OverviewDisclosure
Restrictions

• Other exceptions include
• To the Bureau of Census for census survey
• To a recipient for statistical research without a
  link to the names and identifiers
• To the National Archives
• To a governmental jurisdiction within or under
  the control of the U.S. for civil and criminal
  law enforcement activity
• To a person showing of compelling circumstances
  affecting the health or safety of an individuals

44
The Privacy Act An OverviewDisclosure
Restrictions

(9) Either House of Congress (10) To
GAO (11) To a court of competent jurisdiction,
or (12) To a consumer reporting agency in
accordance with section 3711(e) of Title
31. For all disclosures except for (1) and (2),
employees are required to keep an accounting of
the date, nature, and purpose of each disclosure.
45
The Privacy Act An OverviewDisclosure
Restrictions

• For questions on how to handle requests for
  information from Privacy Act systems contact you
  Privacy Act Officer or Coordinator.
• For Departmental guidelines see
• Departmental Privacy Act regulations (43 CFR
  2.56)
• Departmental Privacy Act Manual Section (383 DM
  Chapter 7), and
• FOIA regulations at 43 CFR 2.27
• 383 DM 15 Ch. 1.12 For Privacy Act Access
  Requests.
• 383 DM 15 Ch. 3.15 on the Relationship of the
  FOIA and the Privacy Act

46
The Privacy Act An OverviewRights of the
Subject of the File

• The Privacy Act provides an individual with some
  control and rights over the information the
  Government collects on him/her, such as being
  able to
• Request whether a system contains records about
  themselves,
• Request access to their records, and
• Request amendment of their records

47
The Privacy Act An OverviewRights of the
Subject of the File

• There are some instances when you would be
  exempt from complying with access requests. For
  example, this happens when
• The information was compiled in anticipation of a
  civil action or proceeding, or
• The system of records was identified in
  rulemaking as an exempt Privacy Act system of
  records.

48
The Privacy Act An OverviewRights of the
Subject of the File

• The Federal Register notice also
  identifies the exemption.
• A list of DOI exempt systems are published in the
  DOI Privacy Act regulations at 43
  CFR 2.79.
• In cases like this please contact your Privacy
  Act Officer or Coordinator.

49
The Privacy Act An OverviewDOI Exempt Systems

• Systems listed in 43 CFR 2.79
• Investigative Case File System, Interior/FWS-20
• Law Enforcement Services System, Interior/BIA-18
• Law Enforcement Statistical Reporting System,
• Interior/NPS-19
• Investigative Records, Interior/Office of
  Inspector General--2
• Investigative Records, Interior/Office of
  Inspector General2
• Permits System, Interior/FWS-21

50
The Privacy Act An OverviewDOI Exempt Systems

• Criminal Case Investigation System,
  Interior/BLM-18
• Civil Trespass Case Investigations,
  Interior/BLM-19
• Employee Conduct Investigations, Interior/BLM-20
• Employee Financial Irregularities,
  Interior/NPS-17
• Trespass Cases, Interior/Reclamation-37
• Litigation, Appeal and Case Files System,
  Interior/Office of the Solicitor-1 to the extent
  that it consists of investigatory material
  compiled for law enforcement purposes

51
The Privacy Act An OverviewDOI Exempt Systems

• Endangered Species Licenses System,
  Interior/FWS-19
• Investigative Case File, Interior/ FWS-20
• Timber Cutting and Trespass Claims Files,
  Interior/BIA-24
• National Research Council Grants Program,
  Interior/GS-9
• Committee Management Files, Interior/Office of
  the Secretary-- 68.
• (Basically litigation and law enforcement-related
  systems -- See 43 CFR 2.45 and 43 CFR 2.79)

52
The Privacy Act An OverviewPenalties for
Violations

• It is important to know the Privacy Acts
  requirements. There are civil and criminal
  penalties for violating certain requirements of
  the Act.
• There are penalties for
• Prohibited disclosures,
• Maintaining a system without a published notice,
  and
• Obtaining information under false pretenses.

53
The Privacy Act An OverviewSafeguarding
Privacy Act Records

• DOI Privacy Act regulations require that all
  employees must take care to protect the
  integrity, security, and confidentiality of
  Privacy Act records in their control.
• DOI regulations also provide the minimum
  safeguard requirements for managing Privacy Act
  systems of records.

54
The Privacy Act An OverviewSafeguarding
Privacy Act Records

• The Privacy Act requires appropriate
  administrative, technical and physical safeguards
  to ensure the security and confidentiality of
  records and to protect against any anticipated
  threats or hazards to their security or integrity
  . .

55
The Privacy Act An OverviewSafeguarding
Privacy Act Records

The Privacy Act requires that personal
information on individuals be protected from
unauthorized disclosure and provides for both
civil and criminal penalties for violations of
the Act.   A key purpose of these requirements is
to prevent unauthorized access.
56
The Privacy Act An OverviewSafeguarding
Privacy Act Records

• 1. For Records Maintained in Manual Form
• Areas with Privacy Act information shall have
  Privacy Warning Notices posted.
• Only authorized personnel in areas that maintain
  Privacy Act records.
• Access to the records shall be restricted by
  their storage in locked metal file cabinets or a
  locked room.

57
The Privacy Act An OverviewSafeguarding
Privacy Act Records

• Security supplemented with lockable file cabinets
  or containers or changing the lock or locks for
  the room so they may not be opened by a master
  key.
• The Office of Management and Budget requires that
  each bureau annually review its recordkeeping
  and disposal policies and practices to ensure
  compliance with the Act.
• See draft Recordkeeping Checklist in handouts

58
The Privacy Act An OverviewSafeguarding
Privacy Act Records

• II. For Records Maintained in Computerized Form
• Records subject to National Institute of Science
  and Technology (NIST) safeguards (see NIST
  special publications)
• Maintained by security requirements for personnel
  records set out in 5 CFR
  293.106 and 293.107

59
The Privacy Act An OverviewSafeguarding
Privacy Act Records

• The bureau is responsible for assuring that there
  are specific procedures for protecting the
  Privacy Act records
• These should be in writing and be posted or
  periodically brought to the attention of
  employees working with the records

60
The Privacy Act An OverviewSafeguarding
Privacy Act Records

• Convert Privacy Warning Notices into electronic
  form to inform the user of the restrictions and
  penalties
• Follow NIST publication, the Security
  Self-Assessment Guide for Information Technology
  Systems SP 800-26, which provides a checklist
  for safeguarding IT systems and sensitive and
  confidential information

61
DOI Privacy Act Warning Notice

62
The Privacy Act An OverviewSafeguarding
Privacy Act Records

• Safeguards must be in place to assure the
  integrity and confidentiality of the records
  while in transit.
• When the records are transferred to a Federal
  Records Center (FRC) the appropriate use
  restrictions applicable must be specified on the
  transfer form (See 384 DM 4).

63
The Privacy Act An OverviewSafeguarding
Privacy Act Records

• Records transferred to the FRC remain under the
  jurisdiction of the Department and subject to
  Privacy Act requirements.
• Disclosure requirements must be identified with
  the records.

64
The Privacy Act An OverviewSafeguarding
Privacy Act Records

• For more information on the minimum safeguard
  requirement see
• - 43 CFR 2.51
• - 383 DM Chapter 8
• - NIST SP 800-37 Security Certification and
• - NIST SP 800-26 Security
• Self-Assessment

65
(No Transcript)
66
Privacy Security
67
The Privacy Act An OverviewGovernment Contracts

• When a contract provides for the operation by
  or on behalf of the Department of a system of
  records to accomplish a Department function, the
  contract allcause the requirements of 5 U.S.C.
  552a and the regulations contained in this
  subpart to be applied to such a system.
• (See 43 CFR 2.53)

68
The Privacy Act An OverviewGovernment Contracts

• The Federal Acquisition Regulations (FAR)
  require that the Privacy Act apply to contractors
  and their employees when an agency contracts for
  the design, development, or operation of a system
  of records to accomplish an agency function.
• (See FAR 48 C.F.R. 24.102(a) and Interior
  Acquisition Regulations (DIAR) at
  48 C.F.R.1424.1)

69
The Privacy Act An OverviewGovernment Contracts

• The Federal Acquisition Regulations require that
  Contracting Officers
• (1) Include the Privacy Act clause in
  contracts.(see FAR 52.224-1and Privacy Act
  Notification at FAR 24.104(a), and supplemental
  information at DIAR 1452.224-1)
• (2) Ensure that the contract work statement
  specifically identifies the Privacy Act system of
  records on individuals and

70
The Privacy Act An OverviewGovernment Contracts

• (3) Make available to contractors agency
  regulations and guidelines on implementing the
  Privacy Act
• (See 48 CFR 24.103 and 104)
• Contracts should be amended to include these
  clauses if the contractor is managing Privacy
  Act information and these clauses are not
  included.

71
Topic II E-Government ActWeb Requirements
72
E-Government Act Web Requirements

• OMB Memo M-03-02, Section III provides Privacy
  Policies on Agency Websites
• Key Points
• Follow current web policy (see OMB privacy policy
  website at www.whitehouse.gov/omb/privacy/website_
  privacy.html)
• Web privacy policy notices (See DOI umbrella
  privacy policy notices on webpage template)
• Specific privacy policy notices when collecting
  information from the public (for example
  http//www.volunteer.gov/gov/privacy.cfm)

73
E-Government Act Web Requirements

• In OMB Memo M-03-02, Attachment A, Section III
  provides Privacy Policies on Agency Websites
• Key Points
• No persistent tracking web tools or persistent
  cookies
• Comply with Childrens On-line Privacy Protection
  Act (See info at the FTC website
  www.ftc.gov/bcp/conline/publs/buspubs/coppa.htm)
• Machine readable privacy policy P3P
• (the DOI Web Council will implement this)

74
E-Government Act Web Requirements

• If the website you are developing collects
  information from the public..are you aware of
  the OMB and E-Government Act of 2002
  requirements?
• Do you restrict the use of permanent cookies?
• When websites are directed at children 13
  years and under do you follow the FTC Childrens
  On-Line Privacy Protection Act requirements?

75
E-Government Act Web Requirements

• Will information collected from the public create
  a new Privacy Act system?
• Are appropriate Web Privacy Policy notices posted
  for major entry-points and frequently visited
  websites?
• Are specific Web Privacy Policy notices posted
  for sites that collect information from
  individual members of the public?

76
E-Government Act Web Requirements

• Refer to the Links to Guidelines and References
  info on Web Policy at http//www.doi.gov/ocio/pr
  ivacy/guidelines_and_references.html
• DOI will soon be issuing a Web Manager Handbook
  Expected out by January 2006

77
Implementing P3P at DOI
E-Gov Act Requirement for P3P Notice (Privacy
Policy Preference)
78
Adjusting Privacy Preferences and Reading P3P
Notices
Adjust to Block All Cookies

• Click onToolsInternet OptionsPrivacy

After adjusting the privacy level and going to a
website you will notice a red circle with a slash
through it at the bottom right side of the web
page. Click on this for the human readable
Privacy Policy text
79
The DOI P3P notice that comes up when the red
circle is clicked on a DOI webpage. Modeled
after GSA and Commerces industry standard
80
Topic III Privacy and OMB Exhibit 300

• OMB Circular A-11 provides guidelines on
  preparing budget submissions to OMB
• The Exhibit 300 is required to justify the budget
  for major IT investments
• There are many questions concerning what privacy
  protection measures were taken when planning and
  developing the investments

81
Privacy and OMB Exhibit 300

• Section I.F. Risk Inventory and AssessmentWas a
  Privacy Risk Assessment Done?
• Have you identified if the system contains
  information on individuals?
• Do you know if its a Privacy Act system?
• Do the rules of behavior identify the proper
  handling procedures for restricting a Privacy Act
  system?
• Do you know what the Federal Register published
  restrictions are?

82
Privacy and OMB Exhibit 300s

• Section I.F. Risk Inventory and AssessmentWas a
  Privacy Risk Assessment Done?
• Did the technical evaluation ensure that Privacy
  Act requirements are met? Need to know what a
  Privacy Act system is and what the requirements
  are to do this.
• Are Privacy Warning Notices posted or employees
  aware of the sensitive nature of the information,
  its handling and penalties involved? (see 383 DM
  8)

83
Privacy and OMB Exhibit 300

• Section I.F. Risk Inventory and AssessmentWas a
  Privacy Risk Assessment Done?
• Are sensitive functions divided among different
  individuals?
• Are mechanisms in place for holding users
  responsible for their actions?
• Does management regularly review the list of
  persons with physical access to sensitive
  facilities?
• Are there plans to properly dispose of or archive
  information on individuals? (e.g., is information
  or media purged, overwritten, degaussed, or
  destroyed?) (see 383 DM 8)

84
Privacy and OMB Exhibit 300

• Sec. II.B.2.D. Have All System Users Been
  Appropriately Trained in the Past Year, Including
  Business Rules and Consequences for Violating the
  Rules?
• Apply your regulatory and internal requirements
  to educate employees who handle Privacy Act
  information
• See FAR and DIAR privacy requirements and clauses
  for contracts
• Include Privacy Act handling requirements in meta
  data (see 383 DM 7 and 9)
• Include requirements in IT Security business rules

85
Privacy and OMB Exhibit 300

• Sec. II.B.3. How Does the Agency Ensure the
  Effective Use of Security Controls and
  Authentication Tools to Protect Privacy for Those
  Systems that Promote or Permit Public Access?
• Do you know what systems have information on
  individuals to categorize them as Privacy Act
  sensitive systems?
• Have internal need to know requirements been
  established?
• Do you know what the restrictions are for sharing
  the information outside the Department?

86
Privacy and OMB Exhibit 300s

• Sec. II.B.3. How Does the Agency Ensure the
  Effective Use of Security Controls and
  Authentication Tools to Protect Privacy for Those
  Systems that Promote or Permit Public Access?
• Are the builders of this system and those who
  manage and maintain it aware of the Departments
  privacy protection policies and access controls?
• Have COTRs provided contractors with the
  Departmental privacy guidelines?

87
Privacy and OMB Exhibit 300s

• Sec. II.B.5. If a Privacy Impact Assessment was
  Conducted, Please Provide a Copy to OMB
• What is a Privacy Impact Assessment?

88
(No Transcript)
89
Topic IV Privacy Impact Assessments
90
Privacy Impact Assessments

• OMB Memo M-03-22 of Sept. 2003 requires it for
  any instance that may affect the privacy rights
  of an individual (http//www.whitehouse.gov/omb/me
  moranda/m03-22.html)
• New EGov Act of 2002 requirement
• DOI PIA developed in Oct. 2002 (See OCIO Bulletin
  2002-015) copy at www.doi.gov/ocio/privacy/
• Required for DOI IT Security Certification and
  Accreditation Process

91
Privacy Impact Assessments

• Required with information collection packages to
  OMB
• Required when a Privacy Act notice is being
  published in the Federal Register

92
Privacy Impact Assessments

• Checklist to ensure that existing Privacy Act and
  Govt privacy requirements are being applied to
• Collections of information about individuals,
• New or amended information systems with info
  about individuals through each life cycle, and
• System changes that create a privacy risk

93
Privacy Impact Assessments

• Only applies to collections of information
• and information systems about individuals
• Addresses privacy concerns when designing,
  developing, maintaining an information that is
  identifiable form
• Ensures that privacy protections are considered
  when collecting, using, maintaining,
  safeguarding, disposing of Information through
  the whole life cycle

94
Privacy Impact Assessments

• According to the OMB guidelines on the
  E-Government Act of 2002, PIAs are conducted
  before
• Developing or procuring IT systems or projects
  that collect, maintain, or disseminate info in
  identifiable form
• A new electronic collection of information in
  identifiable form from the public

95
Privacy Impact Assessments

• OMB also requires them
• When a system change creates a new privacy risk
  such as
• Converting paper to electronic records
• Anonymous to Non-anonymous info
• Significant system management changes
• With merging, centralizing, matching databases
• New user-authenticating technology used
• Purchasing databases
• E-Gov initiatives new interagency uses
• Change in the business process creates a new use

96
Privacy Impact Assessments

• DOI requires a Preliminary PIA
• An analysis to determine if the system contains
  information about individuals in an identifiable
  form at all
• OMB allows for less analysis in responding
  depending on the size and complexity of the
  system
• IT development stage - Less
• Major information system Greater
• Routine database Less

97
Privacy Impact Assessments

• The PIA is not a reporting document
• It was meant to be a DESIGN tool and not prepared
  just for an Exhibit 300 and IT Security
  Certification.
• It is meant to be used to help make decisions
  regarding design, development, maintenance and
  changes to a system that contain information on
  individuals.

98
Privacy Impact Assessments

• The E-Government Act requires agencies to conduct
  a PIA before
• a. Developing or procuring IT systems or
  projects that collect, maintain or disseminate
  information in identifiable form from or about
  members of the public, or
• b. Initiating, consistent with the Paperwork
  Reduction Act, a new electronic collection of
  information in identifiable form for 10 or more
  persons (excluding agencies, instrumentalities or
  employees of the federal government).

99
Privacy Impact Assessments

• According to OMB In general, PIAs are required
  to be performed and updated as necessary where a
  system change creates new privacy risks.
• PIAs should become routine when making decisions
  when collecting or maintaining information on
  individuals.
• Refer to the OMB Memorandum M-03-22, Attachment
  A, Section II. E. 2. for OMB examples of when a
  PIA should be conducted.

100
Privacy Impact Assessments

• DOIs PIA requirements extend to all systems that
  contain information on individuals (includes
  information on BOTH employees and members of the
  public) (Optional in OMBs Memo (M-03-22)).
• According to OMB, PIAs should be updated to
  reflect changed information collection
  authorities, business processes or other factors
  affecting the collection and handling of
  information in identifiable form.

101
Privacy Impact AssessmentsKey Questions Asked in
the PIA

• What information is being collected?
• Why is it being collected?
• What is the intended use of the information?
• With whom the info will be shared?
• What are the options the individual has in
  providing the information?

102
Privacy Impact Assessments Key Questions Asked
in the PIA

• How the information will be secured?
• Whether this is also a Privacy Act system of
  records?
• What are the maintenance and administrative
  controls?

103
Privacy Impact Assessments

• Completing a PIA is a team effort. The System
  Owner should ensure that PIAs are completed at
  each phase and when required. PIAs are
  coordinated with
• The bureau/office Records Manager,
• IT Security Manager,
• Information Collection Clearance Officer,
• FOIA Officer, and
• Privacy Act Officer.

104
Privacy Impact Assessments

• PIA and System Networks
• In explanations following the OMB Memorandum
  M-03-22, OMB indicated that network system
  (conduits of information) that do not collect,
  maintain or disseminate information in
  identifiable form from or about members of the
  public would NOT require a PIA
• General Support Systems
• Where these systems may maintain information as
  identified above, OMB is requesting that a PIA be
  completed.

105

Privacy Impact Assessments Benefits

• It provides a way to avoid exponential design
  costs to retrofit systems to meet legal
  requirements.
• Completing and following privacy principles in
  the PIA helps to build a public trust and
  confidence in the Governments management of
  their information and encourages their
  involvement with E-Government.
• It is a tool to ensure that DOI is meeting its
  information stewardship responsibilities.

106

Privacy Impact Assessments Benefits

• OMB requires them for budget submissions for
  projects maintaining information on individual
  members of the public.
• DOI requires them to complete an IT Security
  Certification for both systems that maintain
  information on individual members of the public
  and information on employees.

107
Topic V Life Cycle Management (LCM_
108
Life Cycle Management
Initiation
System Concept Development
Planning

• Sponsor identifies
• a need
• Concept Proposal

• Scope,
• Boundaries,
• Risk Management,
• Feasability
• Studies

• Scope,
• Boundaries,
• Risk Management,
• Feasability
• Studies

109
Life Cycle Management
Requirements Analysis
Design
Development

• Requirements into
• System Design
• Deliver Functionality

• Complete Info
• System
• Acquiring
• Installing
• Testing

• User Needs
• Functional
• Requirements
• Documents

110
Life Cycle Management
Implementation
Integration and Test

• Conforms to
• Requirements
• Quality Assurance
• Tests

• Scope,
• Boundaries,
• Risk Management,
• Feasability
• Studies

111
Life Cycle Management
Operations and Maintenance
Disposition

• End of System
• Activities
• Proper Preservation
• of Data

• Tasks
• Post Implementation
• and Inprocess
• Reviews

112
Privacy and LCM Interface
System Development Life Cycle
Initiation
Acquisition/ Development
Operation/ Maintenance
Implementation
Disposal

• PIA to
• address
• changes from
• last phase.
• System
• integration
• Security
• CA
• Handling
• controls in
• Business
• Rules

• PIA to
• address
• changes from
• last phase.
• Data
• quality
• assurance.
• Mgmt
• controls
• Audit
• trails
• Access
• controls
• - Safeguards

• PIA to
• address
• changes from
• last phase.
• Info
• preservation
• Sanitization
• Appropriate
• disposal of
• sensitive
• info

• Privacy
• Impact
• Assessment
• (PIA)
• Info Collection
• Risk Analysis
• Analyze Data
• Use and
• Restrictions
• - Exhibit 300
• Privacy Notices
• Records
• Schedule

• PIA to
• address
• change in
• privacy
• from last
• phase.
• Privacy risks
• Privacy
• controls
• Privacy
• Planning
• Contract
• requirements

113
Privacy Impact Assessment
Collection
Maintenance
Use
Disposal
Privacy Information Life Cycle Requirements Design
privacy requirements in LCM
114
Enterprise Architecture RepositorySystems with
Individuals Identified

• DOI EA Repository (DEAR)
• First Cabinet Agency to Establish
• a Department-wide EA Repository
• aligned to the OMB FEA
• First Official DOI-wide IT System
• Inventory
• Provides invaluable information
• on how IT systems support Strategic
• Goals, Business Functions,
• Data Requirements
• underlying Infrastructure.
• Identifies if systems contain info
• on individuals, have Privacy Act
• notices and PIAs

115
IT Strategic Plan Privacy Requirements in Every
Area
116
Privacy in Architecture

• Benefits of integrating Privacy into the
  Enterprise Architecture, security activities and
  the SDLC are three-fold
• Common understanding of privacy requirements
  among stakeholders
• Crosswalk of the security and privacy
  requirements improves efficiencies, lowers IT
  costs, increases return on investment
• Prevents retrofitting of privacy solutions which
  may prove costly and/or time consuming

117
Topic VI Federal Information Security
Management Act (FISMA) Reviews

• Section 522 of the Consolidated Appropriations
  Act of 2005 requires agencies to demonstrate
  compliance by December 8, 2005 the following

1. Assure use of technologies sustain, and do
not erode, privacy protections relating to the
use of information in identifiable form (IIF). 2.
Assure that technologies used for IIF allow for
continuous auditing of compliance with stated
privacy policies and practices governing the
operation of the program.
118
FISMA Reviews

• Assure that personal information contained in
  Privacy Act systems of records is handled in full
  compliance with fair information practices.
• Evaluate legislative and regulatory proposals
  involving collection, use, and disclosure of
  personal information.
• Conduct a Privacy Impact Assessment of proposed
  rules of the Department on the privacy of IIF.

119
FISMA Reviews

• Ensure that Departments protects IIF and
  information systems from unauthorized access,
  use, disclosure, disruption, modification, or
  destruction.
• Train and educate employees on privacy and data
  protection policies to promote awareness and
  compliance.
• Ensure compliance with the Departments
  established privacy and data protection policies.

120
FISMA Reviews

• File with Inspector Generals a written report of
  an agencys use of IIF and privacy and data
  protection policies.
• Every two years perform a review of the agencys
  use of IIF to its privacy and data protection
  procedures.

121
FISMA now requires agencies to demonstrate in
their reporting activities compliance with three
decades worth of federal privacy laws.
122
FISMA Reviews

• Sect. 522 provides for greater congressional and
  agency scrutiny of agency privacy compliance in
  2005 No longer limited to OMB
• OMB Memorandum, M-05-15 provided guidance on
  Reporting Instructions for FISMA and Agency
  Privacy Management
• Section D is a reporting template for Senior
  Agency Officials for Privacy Policy (at DOI that
  is the CIO)

123
More Oversight GAO and IG Reviews

• Two GAO reports on Federal web policies in
  September 2000.
• One GAO survey in August 2001 on agency
  collection and handling of SSNs.
• 2001 IG report to Congress on personal
  information collected from DOI websites.
• 2002 IG review of DOI websites for security and
  privacy compliance.

124
Topic VII Case Studies

• HSPD-12
• DOI LEARN
• FBMS

125
Homeland Security Presidential Directive 12
(HSPD-12)

• Signed by President Bush on August 27, 2004
• Directs a common identification standard for
  federal employees and contractors with unescorted
  access to Federal facilities and access to
  networks and systems
• One of the largest collaborative efforts in
  Government with leadership through the
  Interagency Advisory Board (IAB)
• National Institute for Standards and Technology
  (NIST)
• General Services Administration (GSA)
• Office of Management Budget (OMB)
• Private sector partners
• Enabling a common Federal Information Technology
  (IT) architecture

126
HSPD-12 Towards a Secure and Reliable form
of Identification

• Personal Identity Verification Threats
• General Threat Unauthorized access to DOI
  facilities or logical assets under the protection
  umbrella of the PIV System and in which a PIV
  card is employed in the access control process.
• Proper card issuance procedures not in place or
  not followed
• Improper access procedures
• Improper issuance of valid card to a malicious
  holder
• Counterfeiting of cards
• Use of stolen or borrowed cards to gain physical
  or logical access
• Use of low sensitivity cards to gain access to
  higher sensitivity areas or systems

127
HSPD-12 - Milestones

• HSPD-12
• Establishes Personal Identity Verification (PIV)
  standard (Federal Information Processing Standard
  - FIPS 201) broken into PIV-I (security
  requirements) and PIV-II (technical
  interoperability).
• By June 2005, agencies must submit an
  implementation plan (FIPS 201 compliant) to OMB
  (The Departmental plan was submitted and accepted
  by OMB).
• By October 27, 2005, implement PIV-1 (security
  requirements) to the maximum extent
  practicable.
• By October 27, 2006, implement PIV-2 (technical
  interoperability requirements).
• By October 27, 2007, All background
  investigations (employees, contractors, etc.) are
  completed.
• By October 27, 2008, All background
  investigations completed for employees with
  greater than 15 years.

128
HSPD-12 Control Objectives

• Secure and reliable forms of identification
• Issued based on sound criteria for verifying an
  individual employee's identity
• Strongly resistant to identity fraud, tampering,
  counterfeiting, and terrorist exploitation
• Can be rapidly authenticated electronically
• Issued only by providers whose reliability has
  been established by an official accreditation
  process

129
HSPD-12 Components

• Smart cards
• ID cards for physical access and logical access
• Active Directory
• Provides computer identity management
• PKI
• An individuals digital identity
• Physical security systems
• Access to buildings
• PIV E-process
• Provides FIPS 201 compliance for issuing ID cards
  verifying individuals physical identity

130
(No Transcript)
131
HSPD-12 Requirements
132
HSPD-12 Defining Documents

• HSPD-12 (8/27/04)
• FIPS 201 NIST (2/25/05)
• Background Investigation of Contract Employees
  OLES (1/31/05)
• Visual Card Topography - OLES (5/25/05)
• Installation of Smart Card Readers at DOI
  Facilities - OLES (5/25/05)
• Establishment of Bureau HSPD-12 Implementation
  Teams OLES (6/16/05)
• Card Issuance and Facility Guidance OLES
  (7/14/05)
• OMB Guidance (8/5/05)
• Federal Identity Management Handbook GSA (TBD)

133
HSPD-12 - Privacy

• DOI Privacy Officer significantly involved
• Privacy Impact Assessment and System of Records
  Notice (SORN) in place for
• PKI system
• PIV E-process system
• Physical access systems
• Federal Privacy Training Module
• Other agencies use DOI PIA and SORN as their
  reference documents
• Developed Privacy Strategy Checklist (see
  handout)
• On target to meet deadlines set forth in HSPD-12
• Bureaus must implement management and safeguard
  requirements in 43 CFR 2.51 and 383 DM 3 and 8.

134
HSPD-12 For More Information

• PIV Standard and Supporting Documents
  http//csrc.nist.gov/piv-program/fips201-support-d
  ocs.html
• DOI HSPD-12 Intranet Site
• http//www.test.myinterior.doi.net/HSPD12/index.h
  tm
• Government-wide HSPD-12 on-line training modules
  (www.vodium.com/goto/blm/hspd12.asp).
• SmartAccess Website http//www.smartaccess.com

135
Case Studies DOI LEARN

• DOI LEARN
• The Department of the Interior will employ the
  use of a single Learning Management System
  entitled DOI LEARN. This system will help the
  Department to comply with the Presidents
  E-training initiative and the Government
  Paperwork Elimination Act, streamline
  registration processes, consolidate redundant
  tracking systems and reduce duplication within
  the Department.

136
DOI LEARN

• The e-Training Initiative is creating a premier
  governmentwide e-Training environment that
  supports the development of the Federal
  workforce. The Gov Online Learning Center
  (http//www.golearn.gov), which serves as the
  portal site, utilizes competency management tools
  and targets curriculum based on both individual
  and agency needs. This allows agencies to focus
  their training efforts on specific needs and to
  match employee professional and individual
  development to courses and services.

137
DOI LEARN Privacy Considerations

• Evaluate data collected and from what sources
  legal authority to collect info from the public
  different from employees.
• Information Collection requirements met?
• Identify in Agreements with OPM information
  ownership issues
• What OPM cant do with the information.
• An OPM Privacy Act notice and Privacy Impact
  Assessment to address how OPM will manage and
  safeguard the information.
• The length of time the records will be maintained.

138
DOI LEARN Privacy Considerations

• Develop a Privacy Act system of records notice
  DOI LEARN, Interior, DOI-16
• Complete a Privacy Impact Assessment
• Address Records Schedule for DOI
• Review computer user interface Privacy Warning
  Notices?
• No persistent cookies on public websites.

139
Case Studies - FBMS

• What is FBMS?
• Standardized administrative business processes to
  be implemented by the Department and all Bureaus
• An Enterprise Resource Planning (ERP) Software
  package that will integrate the Interior onto a
  single Information system to manage a variety of
  business functions, including

140
Case Studies - FBMS
141
FBMS Privacy Considerations

• What existing systems will be accessed?
• Information Collection requirements met?
• Federal Records Act requirements
• New Privacy Act system of records
• PIA addresses all components
• For more information see the DOI FBMS website -
  http//www.doi.gov/fbms/

142
Topic VIII Roles and Responsibilities

• Privacy Officers and Coordinators are not the
  only ones responsible for implementing the
  Government privacy requirements.
• You and others also have a very important role.

143
(No Transcript)
144

Roles and Responsibilities All Have a Role

• All Employees
• Bureau/Office Heads
• Contractors
• System Owners
• System Developers
• IT Security Mangers
• System Managers
• Information Collection Clearance Officers
• Webmasters

145
Roles and Responsibilities

• Why All Employees?
• According to DOI Privacy Act regulations -
  Employees whose duties require handling of
  records subject to the Privacy Act shall, at all
  times, take care to protect the integrity,
  security and confidentiality.
• (See 43 CFR 2.52(a))

146
Roles and Responsibilities

• Why All Employees?
• No employee of the Department may disclose
  records subject to the Privacy Act unless
  disclosure is permitted under 43 CFR 2.56 or is
  to the individual to whom the record pertains
• (See 43 CFR 2.52(b))

147
Roles and Responsibilities

• Why All Employees?
• No employee may alter records unless
  alteration or destruction is properly undertaken
  in the course of the employees regular duties.
  
• (See 43 CFR 2.52(c))

148
Roles and Responsibilities

• Why Bureaus/Offices?
• DOI Privacy Act Manual Section 383 DM 3
• identifies responsibilities of the bureaus in
• implementing requirements of the Act.

149
Roles and Responsibilities

• Specific requirements include
• Identifying Privacy Act systems
• Privacy Act system notices are correct and in
  place
• Standards of maintaining records
• Designating system managers
• Ensuring integrity of records
• Specific disclosure procedures on each system

150
Roles and Responsibilities

• Training employees who handle Privacy Act
  protected records
• Specific procedures for notification, access and
  amendment
• Periodic privacy program reviews (see OMB
  Circular A-130, Appendix I, 8.a.
• On-site inspections

151
Roles and Responsibilities

• Why Contractors?
• When a contract provides for the operation by
  or on behalf of the Department of a system of
  records to accomplish a Department function, the
  contract shallcause the requirements of 5 U.S.C.
  552a and the
• regulations contained in this subpart to be
  applied to such system.
• (See 43 CFR 2.53)

152
Roles and Responsibilities

• The Federal Acquisition Regulations (FAR) require
  that the Privacy Act apply to contractors and
  their employees when an agency contracts for the
  design, development, or operation of a system of
  records to accomplish an agency function.
• (See FAR 48 C.F.R.