Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

Similar documents
Government Privacy. Julie Smith McEwen, CIPP/G, CISSP Principal Information Systems Privacy and Security Engineer

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

The University of British Columbia Board of Governors

PRIVACY POLICY Last Updated May, 2018

COUNTY OF RIVERSIDE, CALIFORNIA BOARD OF SUPERVISORS POLICY. ELECTRONIC MEDIA AND USE POLICY A-50 1 of 9

DEPARTMENT OF HOMELAND SECURITY RECORDS MANAGEMENT HANDBOOK

MNsure Privacy Program Strategic Plan FY

COMMENTARY. Information JONES DAY

Investigating Insider Threats

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

1 Privacy Statement INDEX

TABLE OF CONTENTS. I. Policy 2. III. Supportive Data 2. IV. Signature Block with Effective Date 3. V. Definitions 3. VI. Protocol 4. VII.

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

File No. SR-NASD-00-70

EU Data Protection Agreement

Standard for Security of Information Technology Resources

University of Wisconsin-Madison Policy and Procedure

Customer Proprietary Network Information

EU Data Protection Agreement

Information Security Incident Response and Reporting

Data Processing Agreement for Oracle Cloud Services

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

We are releasing 7 pages of responsive documents. Pursuant to FOIA, certain information has been redacted as it is exempt from release.

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Standard CIP 004 3a Cyber Security Personnel and Training

Access to University Data Policy

1. Right of access. Last Approval Date: May 2018

BISHOP GROSSETESTE UNIVERSITY. Document Administration. This policy applies to staff, students, and relevant data subjects

PTLGateway Data Breach Policy

Motorola Mobility Binding Corporate Rules (BCRs)

Office Properties Income Trust Privacy Notice Last Updated: February 1, 2019

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

OUTDATED. Policy and Procedures 1-12 : University Institutional Data Management Policy

Application and Instructions for Firms

As set out in the Hong Kong ID card, or any relevant identification document referred to in 1(g) above.

Statement of Organization, Functions, and Delegations of Authority: Office of the

by Robert Hudock and Patricia Wagner April 2009 Introduction

June 17, SR-NASD Policy to Conduct Fingerprint-based Background Checks of NASD Employees and Independent Contractors

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Re: File No. SR-NASD Amendments to NASD Rules 1013 and 1140

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Subject: Kier Group plc Data Protection Policy

Ferrous Metal Transfer Privacy Policy

UCOP ITS Systemwide CISO Office Systemwide IT Policy

CAET Privacy Policy August

Postal Inspection Service Mail Covers Program

STATE OF NEW JERSEY IT CIRCULAR

Contributed by Djingov, Gouginski, Kyutchukov & Velichkov

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

VIACOM INC. PRIVACY SHIELD PRIVACY POLICY

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Data Use and Reciprocal Support Agreement (DURSA) Overview

Subject: University Information Technology Resource Security Policy: OUTDATED

PROCESS FOR UPDATING WEBSITES AT NASA LARC. Organizational Unit Manager (OUM) or designee. Approve? (see Note 1) Yes

Janie Appleseed Network Privacy Policy

HPE DATA PRIVACY AND SECURITY

Employee Security Awareness Training Program

DFARS Cyber Rule Considerations For Contractors In 2018

PRIVACY POLICY VANTAGE HOMES

01.0 Policy Responsibilities and Oversight

8/28/2017. What Is a Federal Record? What is Records Management?

VALUE PAY SERVICES PRIVACY POLICY

2. What is Personal Information and Non-Personally Identifiable Information?

Data Protection Policy

WELLSBORO AREA SCHOOL DISTRICT

NASD NOTICE TO MEMBERS 97-58

Update for the Workgroup for Electronic Data Interchange (WEDI) July 31, 2018

HF Markets SA (Pty) Ltd Protection of Personal Information Policy

INFORMATION TECHNOLOGY POLICY

Section I. GENERAL PROVISIONS

Development of your Company s Record Information System and Disaster Preparedness. The National Emergency Management Summit

NOP ORGANIC PROGRAM CERTIFICATION MANUAL

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

Policies and Procedures Date: February 28, 2012

Information Security Incident Response Plan

Mile Privacy Policy. Ticket payment platform with Blockchain. Airline mileage system utilizing Ethereum platform. Mileico.com

ADIENT VENDOR SECURITY STANDARD

PENN MANOR SCHOOL DISTRICT

THE CAN-SPAM ACT OF 2003: FREQUENTLY ASKED QUESTIONS EFFECTIVE JANUARY 1, December 29, 2003

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

PRIVACY 102 TRAINING FOR SUPERVISORS. PRIVACY ACT OF U.S.C.552a

BCN Telecom, Inc. Customer Proprietary Network Information Certification Accompanying Statement

Privacy Policy. Third Party Links

DEPARTMENT OF JUSTICE. [CPCLO Order No ] Privacy Act of 1974; System of Records

You can find a brief summary of this Privacy Policy in the chart below.

Re: Special Publication Revision 4, Security Controls of Federal Information Systems and Organizations: Appendix J, Privacy Control Catalog

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

Information Security Program

20/09/2013. Global Privacy and Data Protection: Practical Risk Assessment and Governance. Topics

ICGI Recommendations for Federal Public Websites

Roche Directive on the Use of Roche Electronic Communication Tools

New Jersey State Legislature Office of Legislative Services Office of the State Auditor. November 16, 2015 to November 30, 2017

We collect information from you when You register for an Traders account to use the Services or Exchange and when You use such Services. V.

State of West Virginia Department of Health and Human Resources (DHHR) Office of Management Information Services (OMIS)

Social Security Number Protection Policy.

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Advisory Circular. Subject: INTERNET COMMUNICATIONS OF Date: 11/1/02 AC No.: AVIATION WEATHER AND NOTAMS Initiated by: ARS-100

ALABAMA STATE BOARD OF PUBLIC ACCOUNTANCY ADMINISTRATIVE CODE

Privacy Statement of Taiwan Cooperative Bank

Information Security Incident Response Plan

Transcription:

Department of Veterans Affairs VA DIRECTIVE 6502.3 Washington, DC 20420 Transmittal Sheet WEB PAGE PRIVACY POLICY 1. REASON FOR ISSUE: To establish policy for the Department of Veterans Affairs (VA) for the publication and maintenance of Privacy Policies covering all VA Web pages available to the public. 2. SUMMARY OF CONTENTS/MAJOR CHANGES: The directive sets forth: a. This policy requires that all VA Web pages post Privacy Policies, as required by VA directives and in accordance with applicable laws, regulations, and administrative guidance, and defines the organizational responsibilities for the posting of Privacy Policies on VA Web pages. This policy also describes the required content of Privacy Policies and establishes the organizational responsibilities associated with the development and maintenance of such Privacy Policies. b. This policy complies with OMB Memoranda 99-18, Privacy Policies on Federal Web Sites, and 03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002. This policy also complies with the E-Government Act of 2002, which requires that all federal Web pages make certain disclosures to users via a posted privacy policy, and the Privacy Act of 1974, as amended, which requires additional disclosures under certain circumstances. 3. RESPONSIBLE OFFICE: Office of Policy, Portfolio Oversight & Execution (005P), Office of the Assistant Secretary for Information and Technology (005). 4. RELATED HANDBOOK: VA Handbook 6502.3; Web Page Privacy Policy. 5. RESCISSIONS: None CERTIFIED BY: /s/ Robert N. McFarland Assistant Secretary for Information and Technology BY DIRECTION OF THE SECRETARY OF VETERANS AFFAIRS: /s/ Robert N. McFarland Assistant Secretary for Information and Technology Distribution: Electronic Only

Blank 2

WEB PAGE PRIVACY POLICY 1. PURPOSE AND SCOPE a. This directive mandates the creation of a VA General Web page Privacy Policy (the General Policy), setting forth how information collected via VA Web sites, pages, and forms is to be collected, used and maintained. This directive establishes the requirements and responsibilities for the creation and maintenance of Limited Privacy Policies (Limited Policies), which govern the handling of personally identifiable information collected via specific Web sites, pages, and forms. This directive also designates the officials responsible for the General Policy and Limited Policies. b. The directive applies to all individuals supporting VA Web sites, including but not limited to full-time and part-time employees, contractors, interns, and volunteers. c. This directive only applies to government information as defined in OMB Circular A- 130, i.e., information created, collected, maintained, processed, disseminated, or disposed of by or for the Federal Government. 2. POLICY a. Privacy Policies (1) All VA privacy policies must be clear, concise, and written in plain language. (2) Every VA Web page must link to an appropriate Privacy Policy. For each page, the responsible official(s) (individual(s) responsible for the creation, design, maintenance, or deployment of a VA Web page) must determine whether a link to the General Policy is sufficient to satisfy legal and regulatory requirements, or whether a link to a page- or site-specific Limited Policy is required. (3) All VA privacy policies must include contact information by which a user may contact the appropriate office for additional information regarding the policy. b. General Web Page Privacy Policy (1) The General Policy is maintained and updated by the VA Privacy Service. The current version is available at www.va.gov/privacy. (2) The General Policy must be updated as necessary to ensure that it remains accurate and complete to the extent required by applicable law, regulation, or guidance. (3) The format of the General Policy must, at a minimum, include the following paragraphs: 3

(a) Introductory language. (b) Information collected and stored automatically. (c) Information collected from Web forms. (d) Security, intrusion, and detection language. (e) Significant actions where information may be subject to the Privacy Act. (4) The General Policy must address the following requirements: (a) Notice of Limited Policies. The General Policy must advise users that Limited Policies will be posted on any pages where additional legal or regulatory disclosure requirements apply, provide the Privacy Act Statement applicable to such pages, and encourage users to review the privacy policy linked to any Web page prior to submitting information via that page. (b) Nature, purpose, use, and sharing of information collected. The General Policy will direct users to Limited Policies for specific information about the nature, purpose, use, and sharing of specific information collected on such pages. (c) Privacy Act information. The General Policy will direct users to Limited Policies for information regarding the collection of information subject to the Privacy Act on such pages. (d) Tracking and customization activities. The General Policy will restrict the use of tracking and customization activities as required by applicable law and OMB guidance. (e) Law enforcement sharing. The General Policy shall reflect that collected information may be shared and protected as necessary for authorized law enforcement, homeland security, and national security activities. (f) Automatically Collected Information. The General Policy must generally state what information VA Web sites collect automatically (i.e., user s IP address, location, and time of visit) and identify the purpose for which it is collected (i.e., site management or security purposes). (g) Intentional Interaction with children. The General Policy must include a statement satisfying the requirements of the Children s Online Privacy Protection Act of 1998 (COPPA). (h) Additional legal requirements. The General Policy shall state that, whenever required by law, additional disclosure requirements under specific statutes and their implementing regulations must be satisfied in the appropriate Limited Policy. 4

(5) A copy of the General Policy must be accessible in a machine-readable format, as defined in 5.b. c. Limited Privacy Policies (1) Every Web site that collects information from users that is subject to additional legal or regulatory requirements beyond those stated in the General Policy must include a link to an appropriate Limited Policy. (2) Each Limited Policy must clearly specify its scope and its relationship to the General Policy, and must clearly and conspicuously link to the General Policy. (3) Limited Policies must provide any additional information required by law, regulation, or applicable guidance regarding the maintenance and use of information collected via a specific Web page. Such information will include, where required: (a) Information regarding consent to collection and sharing of data, (b) Privacy Act Statements. Privacy Act Statements must notify users of: 1. the authority for, purposes and routine uses of the collection of information subject to the Privacy Act, 2. whether providing the information is mandatory or voluntary, 3. the effects of not providing all or any part of the requested information, and 4. if a social security number is being collected, the data subject must be specifically informed whether that disclosure is mandatory, voluntary or required to retain or obtain benefits, by what statutory authority such number is solicited, and what uses will be made of it. (c) Additional legal requirements. If additional disclosures are required under applicable law, regulation, or guidance, (e.g., Health Insurance Portability and Accountability Act of 1996, Gramm-Leach-Bliley Act of 1999, etc.) and such disclosures are not made on the page where information is collected, than such disclosures must be made in the Limited Policy. If such disclosures are made on the page, the Limited Policy must reference the additional requirements and when practical link to these requirements. 3. RESPONSIBILITIES a. The Assistant Secretary for Information and Technology. The Assistant Secretary for Information and Technology, as the Department s Chief Information Officer (CIO), shall: 5

(1) Establish Department-wide requirements, and provide oversight and guidance for all VA Web page privacy issues; (2) Designate the Associate Deputy Assistant Secretary (ADAS) for Policies, Plans and Programs, as the principal Department official responsible for the VA Privacy Program; (3) Provide oversight and review of the privacy protection of data used and collected on VA Web pages as required by applicable law, regulation and guidance. b. The Associate Deputy Assistant Secretary (ADAS) for Policy, Portfolio Oversight & Execution. The ADAS shall: (1) Provide for the development, issuance and monitoring of Web page Privacy Policies, in accordance with applicable Federal law and guidance; (2) Facilitate cooperation among all Under Secretaries, Assistant Secretaries, and Other Key Officials for the purpose of Web page-related Privacy Policy development and implementation; and (3) Advise the VA CIO, Under Secretaries, Assistant Secretaries, and Other Key Officials on Web page privacy policy compliance and other issues related to the protection of data collected from and resulting from the use of VA Web pages. c. Director, Privacy Service. The Director, Privacy Service shall: (1) Develop, post, and maintain the General Policy; (2) Coordinate Department-wide Web page privacy requirements, and provide information and guidance in coordination with the Office of General Counsel regarding compliance with all Federal privacy law, regulations, and guidance as applicable to all VA Web pages; (3) Provide a current user manual that delivers guidance for bringing all Department of Veterans Affairs web pages into compliance with Federal and VA web page privacy policies; (4) Provide all required Department-wide Web page privacy-related reporting, including recommendations to the ADAS for Policies, Plans and Programs and the CIO as required by applicable law, regulation and guidance; and (5) Analyze legislative, regulatory, or guidance proposals, in draft or final form, in conjunction with the Office of General Counsel, to determine actual or potential impacts of such measures on VA Web page privacy policy and/or practice. d. Web Masters or other Responsible Officials. Any individual responsible for the creation, design, maintenance, or deployment of a VA Web site must: (1) Determine whether each Web page for which he or she is responsible requires a Limited Policy specific to that page; 6

(2) Consult with the Office of General Counsel and/or the Privacy Service as necessary, and (3) Post all required Privacy Policies, and confirm that they are appropriately accessible to Web page visitors. e. Staff Office and Administration Privacy Officers. The Privacy Officer must review the Limited Policies to be posted on Web pages for the Staff Office or Administration f. The Inspector General. This Office may be requested to: (1) Conduct and supervise Web page privacy audits, and provide follow-up regarding Web page Privacy Program audit findings; and (2) Nothing in this Directive shall prevent or impede the Inspector General from performing duties pursuant to the Inspector General Act or other statutory authority. g. The General Counsel. This Office shall: (1) Interpret laws, regulations, guidance, and directives applicable to VA Web page privacy issues; and (2) Upon request, render legal opinions regarding compliance with the Web page privacy laws regulations, guidance, and directives as well as: (a) Provide legal reviews of audits for compliance with applicable laws, regulations, guidance, and directives; and (b) Provide legal advice and services to the Secretary, Under Secretaries, Assistant Secretaries, and Other Key Officials related to Web page privacy issues. h. Under Secretaries, Assistant Secretaries, and Other Key Officials. Under Secretaries, Assistant Secretaries, and Other Key Officials shall: (1) Ensure, per this directive and other applicable guidance, that Department-wide Web page privacy policies and procedures are implemented; (2) Ensure that all data (collected via Web pages) within the systems and resources for which they are responsible are adequately secured; (3) Ensure that all employees and other authorized individuals under their jurisdiction act in compliance with the Department's Web page privacy policies; (4) Ensure that any reporting or notice requirements are met; 7

(5) Ensure that all breaches of applicable Federal privacy law that appear to constitute a criminal violation of law, be referred for investigation to the Office of the Inspector General; and (6) Ensure that noncompliance with these policies by VA personnel and other authorized individuals are addressed and remedied promptly. 4. REFERENCES a. E-Government Act of 2002, Pub. L. 107-347. b. Government Paperwork Elimination Act of 1988, Pub. L. 105-277. c. Gramm-Leach-Bliley Act of 1999, Pub. L. 106-102. d. Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191. e. OMB Memo 99-18, Privacy Policies on Federal Web Sites, June 2, 1999, and attachment, Guidance and Model Language for Federal Web Site Privacy Policies. f. OMB Memo 03-22, Guidance for Implementing the Privacy Provisions of the E- Government Act of 2002, Sept. 26, 2003. g. Paperwork Reduction Act of 1995, Pub. L. 104-13. h. Privacy Act of 1974, 5 USC 552a, Pub. L. 93-579. i. Privacy Policies and Data Collection on Federal Web Sites, OMB Memo 00-13, June 22, 2000. j. VA Handbook 6000, VA IRM Framework, September 17, 1997 k. VA Handbook 6102, Internet/Intranet Services, March 15, 2001. l. VA Directive 6300, Records Information Management, January 12, 1998. m. VA Handbook 6300.5, Procedures for Establishing & Managing Privacy Act Systems of Records, Jan. 12 1998. n. VA Handbook 6300.5/1, Procedures for Establishing & Managing Privacy Act Systems of Records, October 5, 2000. o. VA Directive 6310, Forms, Collections of Information, and Records Management, Dec. 18, 2001. 8

p. VA Handbook 6310.2, Collections of Information Procedures, Dec. 18, 2001. q. VA Directive 6502, Privacy Program, June 30, 2003. 5. DEFINITIONS a. Cookies. A cookie file is a file that resides on the client machine. It contains data passed from Web sites, so that Web sites can communicate with this file when the same client returns. The Web site only has access to the part of the cookie file that represents the interaction with that particular Web site. One common purpose of cookies is to identify Web site visitors and possibly prepare customized Web pages for them. Persistent cookies are stored for a length of time that is set by the Web server when it passes the cookie to the visitor s Web browser. These cookies are used to store information about the visitor between visits to a site. Session cookies, in contrast, are used to store information only within a single visit. These cookies are cached (stored) only while a user is visiting the Web server issuing the cookie and are deleted from the cache when the user closes the session. b. Machine-readable format. The formatting of Web page Privacy Policy statements so they can be read by Web browsers or other applications designed to interpret machine-readable policy statements. Such technologies may then alert users automatically about whether site privacy practices match their personal privacy preferences. c. Personally Identifiable Information. Any information about an individual that identifies that individual. d. Privacy Act Statements. A set of disclosures mandated by the Privacy Act which must be made when collecting information from individuals subject to that Act. e. Web page and Web site. A Web page is a document created with hypertext markup language (HTML) that may be part of a group of hypertext documents or resources available on the World Wide Web. Collectively, a set of these documents and resources may form a Web site. Every Web page is identified by a unique universal resource locator (URL). 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback