privacy impact assessment future directions tricare management activity health affairs 2009 data...
TRANSCRIPT
Privacy Impact Assessment Future Directions
TRICARE Management ActivityHEALTH AFFAIRS
2009 Data Protection Seminar
TMA Privacy Office
Privacy Impact Assessment Future Directions
TRICARE Management ActivityHEALTH AFFAIRS
Privacy in the News
TRICARE Management ActivityHEALTH AFFAIRS
3
Privacy Impact Assessment Future Directions
Purpose
The purpose of this presentation is to provide information on the new efforts to improve the Privacy Impact Assessment (PIA) process, to include a synopsis of the new DoD PIA guidance and form
TRICARE Management ActivityHEALTH AFFAIRS
4
Privacy Impact Assessment Future Directions
Objectives Upon completion of this presentation, you should be able to:
− Identify the key points outlined in the new PIA guidance
− Recognize the new features of the PIA template
− Describe the new efforts established to improve the PIA process
TRICARE Management ActivityHEALTH AFFAIRS
5
Privacy Impact Assessment Future Directions
Privacy and the Protection of PII DoD takes its responsibility seriously to safeguard personally
identifiable information (PII) in its possession and to prevent its theft, loss, or compromise
DoD is addressing privacy and security challenges through many initiatives including Privacy Impact Assessments (PIAs), Data-at-Rest (DAR), and ensuring that DoD employees are aware of their privacy responsibilities
TRICARE Management ActivityHEALTH AFFAIRS
6
Privacy Impact Assessment Future Directions
PIA Requirements Federal Agency PIA Requirements
− Section 208 of the E-Government Act of 2002 requires all agencies to conduct PIAs for all new or substantially changed information systems that collect, maintain, or disseminate PII on the public
New DoD PIA Requirements
− DoD Instruction 5400.16 expands the coverage to include Federal personnel, contractors, and foreign nationals employed at U.S. military facilities internationally
TRICARE Management ActivityHEALTH AFFAIRS
7
Privacy Impact Assessment Future Directions
Highlights of DoDI 5400.16 PIA Guidance Formalizes E-Gov Act PIA requirement in DoD for greater
visibility and clarity
Enhances responsibilities and accountability
− DoD Program Manager (PM) or designee starts the assessment
− Requires coordination with PM, Information Assurance, and Component Privacy
− Expands signature requirements
TRICARE Management ActivityHEALTH AFFAIRS
8
Privacy Impact Assessment Future Directions
Highlights of DoDI 5400.16 PIA Guidance Better coordination with other processes
− Privacy Act SORNs
− Information Collection
− Certification and Accreditation
− Budget
Establishes review cycle
Structures privacy risk identification and assessment with new DoD PIA Form (DD 2930)
TRICARE Management ActivityHEALTH AFFAIRS
9
Privacy Impact Assessment Future Directions
Highlights of the New PIA Template DD Form 2930
More comprehensive tool
− Detailed risk analysis questions
− In-depth PII table for selection
− Technical, physical, and administrative control list provided
− Interactive forms with check boxes, radio buttons, and tables
− Digital signatures for the PDF form
− MS Word version also available
TRICARE Management ActivityHEALTH AFFAIRS
10
Privacy Impact Assessment Future Directions
New PIA Template
TRICARE Management ActivityHEALTH AFFAIRS
11
Privacy Impact Assessment Future Directions
New PIA Template (continued)
TRICARE Management ActivityHEALTH AFFAIRS
12
Privacy Impact Assessment Future Directions
New PIA Template (continued)
TRICARE Management ActivityHEALTH AFFAIRS
13
Privacy Impact Assessment Future Directions
New PIA Template (continued)
TRICARE Management ActivityHEALTH AFFAIRS
14
Privacy Impact Assessment Future Directions
New PIA Template (continued)
TRICARE Management ActivityHEALTH AFFAIRS
15
Privacy Impact Assessment Future Directions
New PIA Template (continued)
TRICARE Management ActivityHEALTH AFFAIRS
16
Privacy Impact Assessment Future Directions
New PIA Template (continued)
TRICARE Management ActivityHEALTH AFFAIRS
17
Privacy Impact Assessment Future Directions
New PIA Template (continued)
TRICARE Management ActivityHEALTH AFFAIRS
18
Privacy Impact Assessment Future Directions
New PIA Template (continued)
TRICARE Management ActivityHEALTH AFFAIRS
19
Privacy Impact Assessment Future Directions
New PIA Template (continued)
TRICARE Management ActivityHEALTH AFFAIRS
20
Privacy Impact Assessment Future Directions
New PIA Template (continued)
TRICARE Management ActivityHEALTH AFFAIRS
21
Privacy Impact Assessment Future Directions
New PIA Template (continued)
TRICARE Management ActivityHEALTH AFFAIRS
22
Privacy Impact Assessment Future Directions
New PIA Template (continued)
TRICARE Management ActivityHEALTH AFFAIRS
23
Privacy Impact Assessment Future Directions
New PIA Template (continued)
TRICARE Management ActivityHEALTH AFFAIRS
24
Privacy Impact Assessment Future Directions
New PIA Template (continued)
TRICARE Management ActivityHEALTH AFFAIRS
25
Privacy Impact Assessment Future Directions
FY 09 and FY 10 New Efforts DoD IT Portfolio Repository (DITPR) data review and analysis
of privacy reporting elements
− PIA required elements
− Relationship to SSN and PII data elements
− Analysis of Component PIA information reported
Privacy Threshold Analysis Tool
Develop PIA spot audit processPIA
Data
TRICARE Management ActivityHEALTH AFFAIRS
26
Privacy Impact Assessment Future Directions
PIA Data Quality Analysis Actions Phase one actions
− Identify PIA DITPR element changes
− Modify PIA reporting structures
Phase 2 actions focus on analyzing Component data
− Privacy reporting discrepancies
− Records in non-compliance
− Records needing adequate explanations
− Records requiring PIA based on corresponding PII and SSN answers
TRICARE Management ActivityHEALTH AFFAIRS
27
Privacy Impact Assessment Future Directions
Privacy Threshold Analysis Develop a PTA tool that would be the initial determination point
for whether privacy documents (SORN and/or PIA) need to be completed
− Incorporate questions related to: PIA
SORN
SSN collection
− Serve as documentation for each new system
Target FY 10 completion and implementation
TRICARE Management ActivityHEALTH AFFAIRS
28
Privacy Impact Assessment Future Directions
Privacy Spot Audit Process Process for privacy personnel to conduct self-assessments
focusing on:
− Completeness of PIAs
− Measuring general understanding of PIA process in compliance with DoDI 5400.16
Target FY 10 completion and implementation
TRICARE Management ActivityHEALTH AFFAIRS
29
Privacy Impact Assessment Future Directions
Moving Forward in DoD PIA Process Increase awareness of PII and the need for adequate
protection
Increase policy compliancy
Better reporting to OMB
Identification of areas for enhanced communication and collaboration to enhance privacy throughout DoD
TRICARE Management ActivityHEALTH AFFAIRS
30
Privacy Impact Assessment Future Directions
Summary You should now be able to:
− Identify the key points outlined in the new PIA guidance
− Recognize the new features of the PIA template
− Describe the new efforts established to improve the PIA process