Data Classification - PowerPoint PPT Presentation

1 / 49
About This Presentation
Title:

Data Classification

Description:

Protected Health Information - Lester Chan. Conducting a Privacy Inventory - Joanne McNabb. Workshop Exercise - Lester Chan. 4. Information Privacy & Security ... – PowerPoint PPT presentation

Number of Views:2555
Avg rating:3.0/5.0
Slides: 50
Provided by: oisp
Category:

less

Transcript and Presenter's Notes

Title: Data Classification


1
Data Classification Privacy Inventory Workshop
  • Implementing Security to Protect Privacy
  • November 2005

2
Welcome Introductions
  • Debra Reiger, State Information Security Officer
  • Joanne McNabb, California Office of Privacy
    Protection
  • Lester Chan,, California Office of HIPAA
    Implementation

3
Workshop Agenda
  • Welcome Introductions - Debra Reiger
  • Information Privacy Security - Joanne McNabb
  • Introduction to State Policy on Data
    Classification - Debra Reiger
  • Break
  • Protected Health Information - Lester Chan
  • Conducting a Privacy Inventory - Joanne McNabb
  • Workshop Exercise - Lester Chan

4
Information Privacy Security
  • Privacy Individuals interest in controlling the
    handling of his/her personal information
  • Security Organizations interest in protecting
    information assets from unauthorized acquisition,
    damage, disclosure, manipulation, modification,
    loss, or use
  • Information security is essential to privacy
    protection.

5
Personal information is like toxic waste
Managing it requires a high level of skill and
training. -Phil Agre, Technology and Privacy in
a New Landscape
6
Why Protect Personal Information
  • Law and Policy
  • Information Practices Act, HIPAA
  • Data Classification, Encryption (soon)
  • Risk Reduction
  • SAM
  • Security breach notification law (Civil Code
    1798.29) Cost of notification 1-25 per notice
  • Identity Theft
  • 9 Million victims and 52.6 Billion in 2004

7
Protecting Personal Information
  • Classify data and identify records systems
    containing personal identifying information.
  • Locate records needing special protection
  • Notice-Triggering Personal Information
  • Health Information (Protected or Electronic)
  • Protect with appropriate security measures
  • Administrative, Technical, Physical

8
State Policy on Classifying Data
  • Classification of Information

9
Introduction
  • State policy requires that we identify and
    classify our data and protect it appropriately.
  • See SAM Sections 4840-4845
  • Automated files and databases are essential
    public resources.
  • We are the protectors of the publics
    information.
  • We must first classify and locate data before we
    can properly protect it.

10
Information Protection
  • Give appropriate protection from unauthorized
  • Use
  • Access
  • Disclosure
  • Modification
  • Loss
  • Deletion

11
Information Classifications
  • Public Information
  • Confidential Information

12
Public Information
  • Information not exempt from disclosure under the
    provisions of the California Public Records Act
    or other applicable state or federal laws

13
Confidential Information
  • Information exempt from disclosure under the
    provisions of the California Public Records Act
    or other applicable state or federal laws

14
Sensitive Personal Info
  • Sensitive and personal information may occur in
    public and/or confidential records.
  • Files and databases containing sensitive and/or
    personal information require special precautions
    to prevent inappropriate disclosure.

15
Sensitive Information
  • Requires special precautions to protect from
  • Unauthorized use
  • Access
  • Disclosure
  • Modification
  • Loss
  • Deletion

16
Sensitive Information
  • May be either
  • Public, or
  • Confidential.
  • Requires a higher than normal assurance of
    accuracy and completeness.
  • Key factor is integrity.
  • Typical records are agency financial transactions
    and regulatory actions.

17
Personal Information
  • Identifies or describes an individual
  • Must be protected from inappropriate
  • Access
  • Use
  • Disclosure
  • Must also be accessible to data subjects upon
    request

18
Personal Information
  • Identifies or describes an individual
  • Name
  • Home address
  • Home phone
  • etc.
  • Sub-types of Personal Information
  • Notice-Triggering Personal Information
  • Medical Information
  • Protected Health Information
  • Electronic Health Information

19
Notice-Triggering Personal Info
  • Name plus specific items or personal information
  • Social Security Number
  • Drivers license/I.D. card number
  • Financial Account Number
  • Requires notifying individuals if it is acquired
    by an unauthorized person.

20
Protected Health Information
  • HIPAA Covered Entities

21
Protected Health Information
  • Individually identifiable information created,
    received, or maintained by health care payers,
    providers, health plans or contractors, in
    electronic or physical form.
  • State and federal laws require special
    precautions to protect from unauthorized use,
    access, or disclosure.

22
Electronic Health Information
  • Individually identifiable health information
    transmitted by electronic media or maintained in
    electronic media

23
Electronic Health Information
  • Health plans, clearinghouses or providers must
    ensure the privacy and security of electronic
    protected health information from unauthorized
    use, access or disclosure

24
Current Information
  • Assess current systems for protected health
    information in physical (paper) and electronic
    form.
  • Include personal information in the data
    classification portion of risk analysis and risk
    management
  • Risk analysis and risk management are required of
    HIPAA covered entities

25
Future Data Systems
  • Be aware of these data classifications as more
    data is created, maintained or transmitted.
  • Plan for protecting your data during the system
    design phase.
  • Collect data that you have the authority and need
    to collect.

26
Conducting a Privacy Inventory
  • Where is your data? Where is your personal data?

27
Privacy Inventory Process
  • ISO/PO gets management support.
  • Each division/program identifies Privacy
    Contact.
  • ISO/PO explains process to Privacy Contacts.
  • Privacy Contacts complete Privacy Inventory
    Worksheet.
  • ISO/PO/Program implement appropriate safeguards.
  • ISO/PO conduct ongoing privacy awareness training
    for users (more on this later).

28
Overview of Worksheet
  • Part I Records System Inventory
  • Part II Privacy Practices Inventory

29
Part I of Inventory Worksheet
  • Records Systems Containing Personal Information
  • Start with Records Inventory for Records
    Retention Schedule
  • List only Records Systems containing personal
    information

30
1. Records System
  • Group of records maintained for official purposes
  • Same as Records Series in Records Retention
    Handbook Group of related records under a single
    filing category that deal with particular subject

31
Personal Information
  • Information that describes an individual,
    including name, home address, home phone, etc.
    defined in Civil Code 1798.3
  • Information on clients, consumers, applicants,
    licensees, employees, contractors everyone

32
2. Description of Records
  • Examples
  • Applications for general contractors license
  • Personnel records of current employees
  • Case records of recipients of in-home supportive
    service, past and present
  • Consumer complaints

33
3. Sources of Records
  • Examples
  • Subject supplies information on application form
  • Schools provide information on transcripts.
  • DOJ provides information from criminal history
    records

34
4. Owner and Location
  • Owner Department/Division/Program that collects
    and maintains the records
  • Location Agency name and address where original
    records system is located
  • Contact Name, title, business contact
    information of agency official responsible for
    records system

35
5. Authority
  • Citation of regulation or statute authorizing
    agency to collect and maintain records system

36
6. Media of Records System
  • Medium of original records system electronic,
    paper, tape
  • Additional media on which records are stored or
    used
  • PC
  • Laptop
  • Other portable device or medium

37
7. Type of Personal Information
  • Objective Identify records systems containing
    personal information needing special protections
  • Notice-triggering personal information (name plus
    SSN, DL/State ID number, financial account
    number)
  • Health/medical information
  • Other personal information (Home Address, MMN,
    DOB, etc.)

38
8. Confidential or Sensitive Info
  • Does the records system contain any confidential
    or sensitive information (other than personal
    information)?
  • Confidential Exempt from PRA
  • Sensitive For example, network configuration,
    agency bank records

39
9. Routine Uses Disclosures
  • Purposes for which records were created
  • Uses and users
  • Disclosures outside agency that collects and
    maintains records system

40
Part II of Inventory Worksheet
  • Privacy Practices
  • Checklist of major practices per IPA, Government
    Code, etc.
  • Optional but good way to start to build privacy
    awareness

41
1. Privacy Policy Statement
  • Is your agencys privacy policy statement posted
    in your office(s)?
  • Is it posted on your Web site(s)?
  • Government Code 11019.9

42
2. Rules of Conduct
  • Does your program/agency have written rules of
    conduct for handling records containing personal
    information?
  • Civil Code 1798.20
  • If so, attach copy to Worksheet.

43
3. Access Guidelines
  • Does your program/agency have regulations or
    guidelines telling individuals how they can
    access their own records?
  • Civil Code 1798.34 1798.44
  • If so, attach copy to Worksheet.

44
4. Notice on Collection
  • How do you provide notice (of authority, uses,
    disclosures, access procedures, etc.) when
    collecting personal information?
  • Civil Code 1798.17
  • Printed on paper forms
  • On online forms
  • Other

45
5. Public Records Act Disclosures
  • Do you have written procedures for responding to
    PRA requests?
  • How do you protect personal information in public
    records?
  • If so, attach copy to Worksheet.

46
6. Retention Destruction
  • Is this records system listed in your Records
    Retention Schedule?

47
7. Incident Notification Procedures
  • Does the program/division/department have written
    procedures for notification of privacy/security
    incidents?
  • For example, lost/stolen laptop containing
    (possibly notice-triggering) personal
    information Report as information security
    incident, not property theft

48
Privacy Awareness
  • Privacy Inventory raises awareness of privacy
    vulnerabilities and protection requirements
  • Ongoing awareness training for all users is
    essential
  • Coming soon from COPP

49
End of Presentation
  • Questions
  • Comments
Write a Comment
User Comments (0)
About PowerShow.com