cte privacy bridges module 3
TRANSCRIPT
-
7/29/2019 Cte Privacy Bridges Module 3
1/48
Privacy Act (PA) Request,
Violations and Reporting
Procedures
1
-
7/29/2019 Cte Privacy Bridges Module 3
2/48
Module 3
Classify basic facts and terms about
Privacy Act (PA) Request, Violations andReporting Procedures .
-
7/29/2019 Cte Privacy Bridges Module 3
3/48
Privacy Act Request
A request from a U.S. citizen or lawfullyadmitted alien (or requesters authorized agent)
to gain access to his records in a "System of
Records." to have information in his/her file corrected
to gain access to an "Accounting ofDisclosures" a list of all individuals whohad access to his file.
-
7/29/2019 Cte Privacy Bridges Module 3
4/48
Allows U. S. Citizens and lawfully-admittedaliens to have access to their own records thatare filed within a "system of records."
A requester may ask to have incorrect factualdata amended.
No charge for the request.
Privacy Act
-
7/29/2019 Cte Privacy Bridges Module 3
5/48
Request for Access
Persons, or their designated representatives, may ask for acopy of their records
Verify the identity of the requester to avoid unauthorizeddisclosures
How you verify identity will depend on the sensitivity of therequested records
Consider requests under both the Privacy Act and FOIA
Requesters should not use government equipment,supplies, stationery, postage, telephones, or official mail
channels for making PA requests
5
-
7/29/2019 Cte Privacy Bridges Module 3
6/48
Processing a Request
Processing a Request for Access. Consider arequest from an individual for his or her ownrecords in a system of records under both the FOIAand the PA regardless of the Act cited.
Requesters should describe the records theywant.
They do not have to name a system of recordsnumber, should at least name a type of record
or functional area Should not use government equipment,
supplies, etc.
6
-
7/29/2019 Cte Privacy Bridges Module 3
7/48
Processing a Request
Tell the requester if a record exists and how toreview the record.
Respond within 10 workdays
If not, send a letter explaining why and give an
approximate completion date no more than 20workdays after the first office received therequest.
If requester amends request Agency mustrespond to amendment requests within 30business days.
Show or give a copy of the record to the requesterwithin 30 workdays of receiving the request unlessthe system has an exemption published in theFederal Registeras a final rule.
7
-
7/29/2019 Cte Privacy Bridges Module 3
8/48
Fees
Give the first 100 pages free and charge only reproductioncosts for the remainder.
Do not charge fees:
When an individual can get the records without charge(i.e., medical records)
For Search
For reproducing a document for the convenience of theAir Force
For reproducing a record so the requester can review it
Fee Waivers. Waive fees automatically if the direct costof reproduction is less than $25
8
-
7/29/2019 Cte Privacy Bridges Module 3
9/48
Denying or Limiting Access
System managers process access denials within 5workdays after receipt of a request for access
Before denial action a request for access to a
record, make sure:
The system has an exemption published inthe Federal Register as a final rule
The exemption covers each document
Nonexempt parts are segregated.
9
-
7/29/2019 Cte Privacy Bridges Module 3
10/48
Special Provision forMedical Records
If a physician believes that disclosing requestedmedical records could harm the persons mental orphysical health:
Requester needs a letter from physician to send
records
Offer the services of a military physician otherthat one who provided treatment if naming thephysician poses a hardship on the individual
NOTE: The PA requires that the PA Managerultimately ensure that the subject receives therecords
10
-
7/29/2019 Cte Privacy Bridges Module 3
11/48
Third Party InformationIn PA System of Records
Ordinarily a person is entitled to their entire recordunder the Privacy Act.
Third party personal data Consult your servicing SJA before disclosing
third party information.
Generally, if the requester will be denied a right,privilege or benefit, the requester must be
given access to relevant portions of the file.
11
-
7/29/2019 Cte Privacy Bridges Module 3
12/48
Civil Action
Withhold records compiled in connection with acivil action or other proceeding including any actionwhere the Air Force expects judicial or
administrative adjudicatory proceedings.
This exemption does not cover criminal actions.
Do not release attorney work products preparedbefore, during, or after the action or proceeding.
12
-
7/29/2019 Cte Privacy Bridges Module 3
13/48
Denial Authorities
These officials or a designee may deny access oramendment of records as authorized by the Privacy Act.
13
-
7/29/2019 Cte Privacy Bridges Module 3
14/48
Amendment Reasons
Individuals may ask to have their records amendedto make them accurate, timely, relevant, or
complete.
System managers will routinely correct a record ifthe requester can show that it is factually wrong(e.g., date of birth is wrong).
14
-
7/29/2019 Cte Privacy Bridges Module 3
15/48
Responding to AmendmentRequest
Anyone may request minor corrections orally.Requests for more serious modifications should bein writing.
After verifying the identity of the requester, makethe change, notify all known recipients of therecord, and inform the individual.
Acknowledge requests within 10 workdays ofreceipt. Give an expected completion date unless
you complete the change within that time. Finaldecisions must take no longer than 30 workdays.
15
-
7/29/2019 Cte Privacy Bridges Module 3
16/48
Approving or Denying
The Air Force does not usually amend a record when the changeis based on opinion, interpretation, or subjective officialjudgment.
Determinations not to amend such records constitute a denial,and requesters may appeal.
If the system manager decides not to amend the record,send a copy of the request, the record, and therecommended denial reasons to the denial authoritythrough the legal office and the PA office.
Legal offices will include a written legal opinion. The PA
officer reviews the proposed denial and legal opinion andmakes a recommendation to the denial authority.
The denial authority (MAJCOM CC) sends the requester aletter with the decision.
16
-
7/29/2019 Cte Privacy Bridges Module 3
17/48
Contents of PA Case Files
Do not keep copies of disputed records in this file
File disputed records in their appropriate series
Use the file solely for statistics and to process requests
Do not use the case files to make any kind of determinationabout an individual.
Document reasons for untimely responses. These filesinclude:
Requests from and replies to individuals on whether asystem has records about them.
Requests for access or amendment.
Approvals, denials, appeals, and final review actions.
Coordination actions and related papers.
17
-
7/29/2019 Cte Privacy Bridges Module 3
18/48
Appeals
Individuals who receive a denial totheir access or amendment requestmay request a denial review by writing
to the SAF through the denial authority, within 60
calendar days after receiving a denial letter.
The denial authority promptly sends a
complete appeal package to theMAJCOM PA Manager.
18
-
7/29/2019 Cte Privacy Bridges Module 3
19/48
Appeals
The package must include:
the original appeal letter
the initial request
the initial denial
a copy of the record
any internal records or coordination actions relating tothe denial
the denial authoritys comments on the appellantsarguments
the legal reviews
19
-
7/29/2019 Cte Privacy Bridges Module 3
20/48
Computer Matching
Computer matching programs electronically compare recordsfrom two or more automated systems that may include DOD,another Federal agency, or a state or other local government.
A system manager proposing a match that could result in anadverse action against a Federal employee must meet theserequirements of the PA:
prepare a written agreement between participants
secure approval of the Defense Data Integrity Board
publish a matching notice in the Federal Registerbeforematching begins
ensure full investigation and due process; and (5) act onthe information, as necessary
20
-
7/29/2019 Cte Privacy Bridges Module 3
21/48
Computer Matching
The PA applies to matching programs that use records from: Federal
personnel or payroll systems and Federal benefit programs wherematching:
determines Federal benefit eligibility
checks on compliance with benefit program requirements
recovers improper payments or delinquent debts from current or
former beneficiaries
Matches used for statistics, pilot programs, law enforcement, taxadministration, routine administration, background checks and foreigncounterintelligence, and internal matching that won't cause any adverseaction are exempt from PA matching requirements.
Any activity that expects to participate in a matching program mustcontact AF-CIO/P immediately
Record subjects must receive prior notice of a match
21
-
7/29/2019 Cte Privacy Bridges Module 3
22/48
Privacy Act Statement
Give a PAS orally or in writing
Display a sign in areas
Give a copy of the PAS if asked.
Do not ask the person to sign the PAS. PAS must include four items:
Authority
Purpose
Routine Uses
Disclosure
22
-
7/29/2019 Cte Privacy Bridges Module 3
23/48
Requesting the SSN
Requesting SSN, provide Privacy Act Statement thattells the person:
the legal authority for requesting it
the uses that will be made of the SSN
whether providing the SSN is voluntary ormandatory.
DO NOT deny anyone a legal right, benefit, orprivilege for refusing to give their SSN unless the lawrequires disclosure, or a law or regulation adopted
before January 1, 1975 required the SSN and the AirForce uses it to verify a persons identity in a systemof records established before that date.
23
-
7/29/2019 Cte Privacy Bridges Module 3
24/48
Requesting the SSN
The Air Force requests an individuals SSN andprovides the individual information required by lawwhen anyone enters military service or becomes anAir Force civilian employee.
Executive Order 9397, Numbering System for FederalAccounts Relating to Individual Persons, authorizesusing the SSN as a personal identifier.
SSNs are personal and unique to each individual.
Protect them as FOR OFFICIAL USE ONLY (FOUO).Within DOD, do not disclose them to anyone withoutan official need to know. Outside DOD, they are notreleasable without the persons consent.
24
-
7/29/2019 Cte Privacy Bridges Module 3
25/48
Warning Banners
Information systems that contain information on individualsthat is retrieved by name or personal identifier are subject tothe PA.
The PA requires these systems to have a PA system noticepublished in the Federal Registerthat covers theinformation collection before collection begins.
In addition, all information systems subject to the PrivacyAct will have warning banners displayed on the first screen(at a minimum) to assist in safeguarding the information.
Use the following language for the banner:
PRIVACY ACT INFORMATION - The information accessed
through this system is FOR OFFICIAL USE ONLY and mustbe protected in accordance with the Privacy Act, AFI 33-332, DoDR 54400.11, and DoDR 5200.1, Appendix 3.
25
C C O 9
-
7/29/2019 Cte Privacy Bridges Module 3
26/48
PRIVACY ACT OF 1974
Marking PA Material
Paper Copies
Electronic Copies
PRIVACY ACT OF 1974
-
7/29/2019 Cte Privacy Bridges Module 3
27/48
PRIVACY ACT OF 1974
Marking PA material
Information systems containing data onindividuals that is retrieved by name orpersonal identifier are subject to the PrivacyAct
These systems must have a PA systemnotice be published in the Federal Register
http://www.archives.gov/federal-register/index.html
All information systems subject to the PAwill have warning banners displayed on thefirst screen (at a minimum)
PRIVACY ACT OF 1974
-
7/29/2019 Cte Privacy Bridges Module 3
28/48
PRIVACY ACT OF 1974
Marking PA material
E-Mail - When transmitting personal informationensure it is adequately safeguarded, there is anofficial need, all addressees are authorized toreceive it under the PA, and it is protected from
unauthorized disclosure, loss, or alteration
Add FOUO to the beginning of the subject line
Add the following statement at the beginning ofthe e-mail:
This e-mail contains FOR OFFICIAL USE ONLY(FOUO) information which must be protectedunder the Privacy Act and AFI 33-332.
-
7/29/2019 Cte Privacy Bridges Module 3
29/48
Information via E-Mail
Do not disclose personal information to anyoneoutside of DOD unless specifically authorized bythe PA
Do not send PA information to distribution listsor group e-mail addresses unless each memberhas an official need to know the personalinformation.
Before forwarding emails received with personal
information, verify that your intended recipientsare authorized to receive the information underthe PA
29
-
7/29/2019 Cte Privacy Bridges Module 3
30/48
Privacy on the Web
Do not post personal information on publicly accessibleDOD web sites unless clearly authorized by law andimplementing regulation and policy
Do not post personal information on .mil private websites unless authorized by the local commander, forofficial purposes, and an appropriate risk assessment isperformed
Ensure public web sites comply with privacy policiesregarding restrictions on persistent and third partycookies, and add appropriate privacy and security
notices at major web site entry points and Privacy Actstatements or privacy advisories when collectingpersonal information.
30
-
7/29/2019 Cte Privacy Bridges Module 3
31/48
Privacy on the Web
Include a Privacy Act statement on the web page if itcollects information directly from an individual that wemaintain and retrieve by his or her name or personalidentifier (i.e., SSN).
Anytime a web site solicits personally-identifyinginformation, even when not maintained in a PA system ofrecords, it requires a Privacy Advisory.
The Privacy Advisory informs the individual why theinformation is solicited and how it will be used. Post thePrivacy Advisory to the web page where the informationis being solicited, or through a well-marked hyperlink
Privacy Advisory
Please refer to the Privacy and Security Notice thatdescribes why this information is collected and how it will beused.
31
Personal Information on
-
7/29/2019 Cte Privacy Bridges Module 3
32/48
Personal Information onShared Drive
Placing Personal Information on Shared Drives.Personal information should never be placed onshared drives for access by groups of individualsunless each person has an official need to know
the information to perform their job.
Official approved file plans and electronic systemsof record. Add appropriate access controls toensure access by only authorized individuals forapproved electronic files.
32
-
7/29/2019 Cte Privacy Bridges Module 3
33/48
Recall Rosters
Recall Rosters are FOUO because they containpersonal information and should be shared withsmall groups at the lowest levels for officialpurposes to reduce the number of people withaccess to such personal information.
Commanders and supervisors should giveconsideration to those individuals with unlistedphone numbers, who do not want their numberincluded on the office recall roster. In thoseinstances, disclosure to the Commander orimmediate supervisor, or deputy, shouldnormally be sufficient.
33
-
7/29/2019 Cte Privacy Bridges Module 3
34/48
Social Rosters
Before including personal information such asspouses names, home addresses, home phones,birth dates, and similar information on socialrosters or directories that are shared with groupsof individuals, ask for signed consent statements.
Otherwise, do not include the information. Consent statements must give the individual a
choice to consent or not consent, and clearly tellthe individual what information is being solicited,the purpose, to whom you plan to disclose the
information, and that consent is voluntary.Maintain the signed statements until no longerneeded.
34
-
7/29/2019 Cte Privacy Bridges Module 3
35/48
Personal Notes
Personal Notes. The Privacy Act does not apply topersonal notes on individuals used as memory aids.
Personal notes may become Privacy Act records ifthey are retrieved by name or other personalidentifier and at least one of the following threeconditions apply:
keeping or destroying the records is not at thesole discretion of the author;
the notes are required by oral or writtendirective, regulation, or command policy; or
they are shown to other agency personnel.
35
-
7/29/2019 Cte Privacy Bridges Module 3
36/48
USING THE FAX
Consider
sensitivity of information
location of equipmentequipment manned
Call first
Use cover sheet
-
7/29/2019 Cte Privacy Bridges Module 3
37/48
PA Notifications
Include a PA Warning statement in
each AF publications that requirescollecting or keeping information ina system of records.
37
-
7/29/2019 Cte Privacy Bridges Module 3
38/48
Violation PENALTIES
An individual may file a civil suit against the Air Force forfailing to comply with the Privacy Act.
You may sue other military members when a violation hasbeen determined.
38
Vi l ti P lti
-
7/29/2019 Cte Privacy Bridges Module 3
39/48
Violation Penalties
For knowingly andwillfully disclosing information
from a system of records tosomeone not entitled to the info:
Misdemeanor criminal charge,and a fine of up to $5000.00
For knowingly and willfullymaintaining a System
of Records that doesnt meet thepublic notice requirements:
Misdemeanor criminal charge,and a fine of up to $5000.00
For knowingly and willfullyobtaining someone elses
records under false pretenses:
Misdemeanor criminal charge,
and a fine of up to $5000.00
-
7/29/2019 Cte Privacy Bridges Module 3
40/48
40
http://www.us-cert.gov/http://www.us-cert.gov/http://www.us-cert.gov/http://www.us-cert.gov/ -
7/29/2019 Cte Privacy Bridges Module 3
41/48
Lost, Stolen, or CompromisedInformation
Report to United States Computer EmergencyReadiness Team (US Cert) within an hour of
discovery
Notify the MAJCOM Privacy Act office within 24hours for forwarding to the Air Force Privacy Act
Office within 48 of discovery.
41
-
7/29/2019 Cte Privacy Bridges Module 3
42/48
Lost, Stolen, or CompromisedInformation Reporting:
Identify the organization/unit involved
Specify date of the breach and the number ofindividuals impacted
Briefly describe the facts and circumstances surroundingthe loss, theft, or compromise
Briefly describe actions taken in response to the breach
Investigate by whom
Results of inquiry
Action taken to mitigate any harm
The Commander shall determine whether administrative ordisciplinary action is warranted and appropriate
42
-
7/29/2019 Cte Privacy Bridges Module 3
43/48
ReportingReporting
of
Lost, Stolen, or Compromised Personally Identifiable Information
a. Component/Organization involved:
Answer:
b. Date of incident and number of Individuals impacted (to include whether theyare DoD civilian, military, or contractor personnel; DoD civilian or militaryretirees; family members; other Federal personnel or members of the public,etc.):
Answer:
c. Brief description of incident, to include facts and circumstances surrounding theloss, theft, or compromise:
Answer:
d. Describe actions taken in response to the incident, to include whether theincident was investigated and by whom; the preliminary results of the inquiryif then known; actions taken to mitigate any harm that could result from theloss; whether the impacted individuals are being notified, and if not notifiedwithin 10 work days, that action will be initiated to notify the DeputySecretary; what remedial actions have been, or will be, taken to prevent asimilar such incident in the future, e.g., additional training conducted, new orrevised guidance issued, etc.;
Answer:
US CERT No.: ___________________
NOTE: Answer is not part of the original format of report
43
d
-
7/29/2019 Cte Privacy Bridges Module 3
44/48
Protection and Disposing
Protecting. Maintaining information privacy is theresponsibility of every federal employee, militarymember, and contractor who comes in contact withinformation in any identifiable form and always protectit according to its sensitivity level.
Disposing of Records
Destroy by any method that prevents compromise,such as tearing, burning, or shredding, so long asthe personal data is not recognizable and beyondreconstruction
Degauss or overwrite magnetic tapes or other
magnetic medium
Dispose of paper products through the DefenseReutilization and Marketing Office or throughactivities that manager a base-wide recyclingprogram.
44
-
7/29/2019 Cte Privacy Bridges Module 3
45/48
US-CERTUS Computer Emergency Readiness Team
45
http://www.us-cert.gov/
H l f l Li k
-
7/29/2019 Cte Privacy Bridges Module 3
46/48
Helpful Links:
http://www.defenselink.mil/privacy/
http://www.defenselink.mil/privacy/SSNReductionPlan.pdf
http://www.ftc.gov/privacy/index.html
http://www.usdoj.gov/oip/index.html
http://www.usdoj.gov/oip/04_7_1.html
http://www.whitehouse.gov/omb/memoranda/index.html
QUESTIONS?
http://www.defenselink.mil/privacy/http://www.defenselink.mil/privacy/SSNReductionPlan.pdfhttp://www.defenselink.mil/privacy/SSNReductionPlan.pdfhttp://www.defenselink.mil/privacy/SSNReductionPlan.pdfhttp://www.ftc.gov/privacy/index.htmlhttp://www.ftc.gov/privacy/index.htmlhttp://www.usdoj.gov/oip/index.htmlhttp://www.usdoj.gov/oip/index.htmlhttp://ogc.navy.mil/dodlinks.asphttp://www.usdoj.gov/oip/04_7_1.htmlhttp://www.usdoj.gov/oip/04_7_1.htmlhttp://www.whitehouse.gov/omb/memoranda/index.htmlhttp://www.whitehouse.gov/omb/memoranda/index.htmlhttp://www.whitehouse.gov/omb/memoranda/index.htmlhttp://www.whitehouse.gov/omb/memoranda/index.htmlhttp://www.whitehouse.gov/omb/memoranda/index.htmlhttp://www.whitehouse.gov/omb/memoranda/index.htmlhttp://www.usdoj.gov/oip/04_7_1.htmlhttp://www.usdoj.gov/oip/04_7_1.htmlhttp://ogc.navy.mil/dodlinks.asphttp://www.usdoj.gov/oip/index.htmlhttp://www.usdoj.gov/oip/index.htmlhttp://www.ftc.gov/privacy/index.htmlhttp://www.ftc.gov/privacy/index.htmlhttp://www.defenselink.mil/privacy/SSNReductionPlan.pdfhttp://www.defenselink.mil/privacy/SSNReductionPlan.pdfhttp://www.defenselink.mil/privacy/SSNReductionPlan.pdfhttp://www.defenselink.mil/privacy/ -
7/29/2019 Cte Privacy Bridges Module 3
47/48
QUESTIONS?
-
7/29/2019 Cte Privacy Bridges Module 3
48/48
48