Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

Similar documents
Employee Security Awareness Training Program

PRIVACY 102 TRAINING FOR SUPERVISORS. PRIVACY ACT OF U.S.C.552a

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Red Flags/Identity Theft Prevention Policy: Purpose

SPRING-FORD AREA SCHOOL DISTRICT

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Privacy Breach Policy

Data Privacy Breach Policy and Procedure

UTAH VALLEY UNIVERSITY Policies and Procedures

Enterprise Income Verification (EIV) System User Access Authorization Form

Red Flags Program. Purpose

SECURITY & PRIVACY DOCUMENTATION

IDENTITY THEFT PREVENTION Policy Statement

Security and Privacy Breach Notification

FHA Update for Housing Counselors

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

PII SPOT CHECK DOCUMENTATION

Information Security Incident Response and Reporting

Putting It All Together:

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Government Privacy. Julie Smith McEwen, CIPP/G, CISSP Principal Information Systems Privacy and Security Engineer

Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

GM Information Security Controls

Subject: Kier Group plc Data Protection Policy

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

Regulation P & GLBA Training

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

The University of British Columbia Board of Governors

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Ohio Supercomputer Center

Subject: University Information Technology Resource Security Policy: OUTDATED

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Breaches and Remediation

Table of Contents. PCI Information Security Policy

Identity Theft Prevention Policy

Pasco Police Department Policy Manual. CRIME ANALYSIS AND INTELLIGENCE Chapter No. 40. Effective Date: 04/01/2018. Reference:

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

Information Technology Standards

HIPAA Privacy and Security Training Program

Access to University Data Policy

Data Compromise Notice Procedure Summary and Guide

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

2. What is Personal Information and Non-Personally Identifiable Information?

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

Privacy Roots: SORNs and PIAs. Systems of Records Notices TIMOTHY H. GRAHAM U.S. DEPARTMENT OF VETERANS AFFAIRS VETERANS HEALTH ADMINISTRATION

BCN Telecom, Inc. Customer Proprietary Network Information Certification Accompanying Statement

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

University Policies and Procedures ELECTRONIC MAIL POLICY

Acceptable Use Policy

University of Wisconsin-Madison Policy and Procedure

Freedom of Information and Protection of Privacy (FOIPOP)

Shaw Privacy Policy. 1- Our commitment to you

I HAVE ALL THESE RECORDS. NOW WHAT? Serving Durham, Wake, Cumberland and Johnston Counties

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

8/28/2017. What Is a Federal Record? What is Records Management?

POLICY TITLE: Record Retention and Destruction POLICY NO: 277 PAGE 1 of 6

Cellular Site Simulator Usage and Privacy

Privacy and Security Basics for CDSME Data Collection. Updated October 2016

Data Processing Agreement

Privacy & Information Security Protocol: Breach Notification & Mitigation

Customer Proprietary Network Information

Data Protection Policy

Ferrous Metal Transfer Privacy Policy

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

ma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018

UWTSD Group Data Protection Policy

Course Objectives Identifying Personally Identifiable Information (PII) Safeguarding Procedures of PII Reporting PII Breaches Proper disposal of PII

5/6/2013. Creating and preserving records that contain adequate and proper documentation of the organization.

HF Markets SA (Pty) Ltd Protection of Personal Information Policy

I. PURPOSE III. PROCEDURE

SAC PA Security Frameworks - FISMA and NIST

GENERAL PRIVACY POLICY

7/21/2017. Privacy Impact Assessments. Privacy Impact Assessments. What is a Privacy Impact Assessment (PIA)? What is a PIA?

AGREEMENT FOR RECEIPT AND USE OF MARKET DATA: ADDITIONAL PROVISIONS

University of North Texas System Administration Identity Theft Prevention Program

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

Media Protection Program

Mile Privacy Policy. Ticket payment platform with Blockchain. Airline mileage system utilizing Ethereum platform. Mileico.com

HIPAA FOR BROKERS. revised 10/17

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Checklist: Credit Union Information Security and Privacy Policies

COUNTY OF RIVERSIDE, CALIFORNIA BOARD OF SUPERVISORS POLICY. ELECTRONIC MEDIA AND USE POLICY A-50 1 of 9

examinations. 1. Policy Statement 2. Examination Arrangements 3. Examination Papers 4. Examination Venue Arrangements

A full list of SaltWire Network Inc. publications is available by visiting saltwire.com.

Breaches and Remediation

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

PCA Staff guide: Information Security Code of Practice (ISCoP)

Postal Inspection Service Mail Covers Program

Privacy Act; System of Records; Amendment of the EPA Personnel Emergency

PS Mailing Services Ltd Data Protection Policy May 2018

Privacy Impact Assessment for the National Cyber Security Division Joint Cybersecurity Services Pilot (JCSP) DHS/NPPD-021.

Information Security Policy

LCU Privacy Breach Response Plan

Bring Your Own Device Policy

ISSP Network Security Plan

Management: A Guide For Harvard Administrators

TransLink Video Surveillance & Audio Recording Privacy Statement

Transcription:

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors Presented by the Office of Housing Counseling and The Office of the Chief Information Officer Privacy Program 1

Protecting Personally Identifiable Information (PII) Please call: (866) 615-1890 Participant Access Code: 331666 to join the conference call (audio) portion of the webinar (date)

Webinar Logistics: Audio is being recorded. It will be available along with the PowerPoint at www.hud.gov/housingcounseling under Webinar Archives Attendee lines will muted during presentation. There will be opportunities to ask questions. The operator will ask for people who want to make a comment, please follow the operator s instructions at discussion and Q&A times. If unmuted during Q&A, please do not use a speaker phone. Please do not use Hold button if it will play music or other disruptive announcements. 2/7/2014 3

GoToWebinar: Ask Questions Your Participation Please submit your text questions and comments using the Questions Panel. We will answer some of them during the webinar. You can also send questions and comments to housing.counseling@hud.gov Note: Today s presentation is being recorded and will be provided within 48 hours. The replay information will be sent out via ListServ. 2/7/2014 4

Brief Survey Please complete the brief survey at the end of this session. Your responses will help OHC better plan and present our webinars. 2/7/2014 5

Certificate of Training You will receive a thank you for attending email from GoToWebinar within 48 hours. The email will say that it is your Certificate of Training. Print out and save that email for your records.

Welcome Jerry Mayer Director Office of Outreach and Capacity Building Office of Housing Counseling 7

Privacy Requirements of the Housing Counseling Program Outlined in Handbook 7610.1 and 24CFR214 HUD and the approved housing counseling agencies must maintain the confidentiality and privacy of client information. Agencies must keep all client information, including credit reports, confidential and secure. All staff who interact with clients and collect personal information must be trained on privacy issues and procedures. HUD and the approved agencies must safeguard data with client information. Loss of data must be reported to HUD immediately. 8

Agency Privacy Policy In addition the required disclosures, it is recommended that agencies disclose their privacy policy privacy policy is a legal document that states how an HCA collects, manages, and discloses both public and personal client data. On the form, HCAs typically list the entities to whom they disclose client information. Information on Privacy Policies and sample forms are in the Capacity Building Toolkit on OHC s webpage. 9

WELCOME from the Office of the Chief Information Officer Janice E. Noble Lead, Privacy Training and Communications OCIO Privacy Program 10

The Privacy Act Agenda Overview of additional Privacy-related Federal Statutes and HUD s Privacy Policies Definitions HUD s Privacy Policy and Guidance Breach Procedures for Housing Counseling Agencies Consequences of Non-compliance Reporting Privacy Incidents/Breaches References and Contacts 11

Privacy Act Enacted in 1974 (5 U.S.C. 552a) Establishes controls on personal information collected, maintained, and used by executive agencies. Establishes a code of fair information practices that govern the collection, maintenance, use, and dissemination of information about individuals that is maintained in a system of records by Federal agencies. 12

Privacy Act Enacted in 1974 (5 U.S.C. 552a) Requires agencies to: Inform individuals of the purpose, use and sharing of personal information. Grant access to individuals on whom records are maintained. Develop System of Record Notices (SORNs). Conduct Privacy Reviews. Ensure key personnel are trained. 13

Privacy Act Enacted in 1974 (5 U.S.C. 552a) The Privacy Act requires that federal agencies maintain only such information about individuals that is relevant and necessary to accomplish its purpose. The Privacy Act also requires that the information be maintained in systems of records electronic and paper -- that have the appropriate administrative, technical, and physical safeguards to protect the information. This responsibility extends to contracts, third parties, HCAs/PHAs who are required to maintain such systems of records by HUD. 14

Other Federal Statutes Electronic Government (E-Gov) Act Enacted in 2002 (44 U.S.C. S. 101). Requires Agencies to: Conduct Privacy Impact Assessments (PIAs) for electronic systems. Post privacy notices on agency Web sites Designate an Agency Privacy Official Report annually to OMB. 15

Other Federal Statutes Federal Information Security Management Act (FISMA) Requires agencies to: Report at least annually on Privacy Management PIAS SORNs Privacy reviews Provide annual security/privacy awareness training 16

Definitions Privacy Act Information Data about an individual that is retrieved by name or other personal identifier assigned to the individual. Personally Identifiable Information (PII) Any information about an individual maintained by an agency, which can be used to distinguish, trace, or identify an individual s identity, including personal information which is linked or linkable to an individual. 17

Definitions Sensitive Personally Identifiable Information (SPII). Social Security numbers, or comparable identification numbers; financial information associated with individuals; and medical information associated with individuals. Note: Sensitive PII, a subset of PII, requires additional levels of security controls. System of Records Any group of records under the control of the Agency where the information is retrieved by a personal identifier. 18

Personally Identifiable Information 19

HUD s Privacy Policy and Guidance Privacy Act Handbook http://portal.hud.gov/hudportal/docu ments/huddoc?id=13251trnchch.pdf HUD s Privacy Principle http://portal.hud.gov/hudportal/hud? src=/program_offices/cio/privacy/docu ments/privprin PIH Notice 2014-10, HUD Privacy Protection Guidance for Third Parties http://portal.hud.gov/hudportal/docu ments/huddoc?id=pih2014-10.pdf 20

HUD s Privacy Protection Guidance for Third Parties HUD expects its third party business partners, including Housing Authorities, who collect, use, maintain, or disseminate HUD information, to protect the privacy of that information in accordance with applicable law. 21

HUD s Privacy Protection Guidance for Third Parties Housing Counseling Agencies should take the following steps to help ensure compliance with these requirements: Limit Collection of PII Manage Access to Sensitive PII Protect Electronic Transmissions of Sensitive PII via fax, email, etc. Protect Hard Copy Transmissions of Files Containing Sensitive PII Records Management Retention and Disposition Incident Response 22

HUD s Privacy Protection Guidance for Third Parties Limit Collection of PII Do not collect or maintain sensitive PII without proper authorization. Collect only the PII that is needed for the purposes for which it is collected. 23

HUD s Privacy Protection Guidance for Third Parties Manage Access to Sensitive PII Only share or discuss sensitive PII with those persons who have a need to know for purposes of their work. Collect only the PII that is needed for the purposes for which it is collected. 24

HUD s Privacy Protection Guidance for Third Parties Manage Access to Sensitive PII When discussing sensitive PII on the telephone, confirm that you are speaking to the right person before discussing the information. and inform him/her that the discussion will include sensitive PII. Never leave messages containing sensitive PII on voicemail. Avoid discussing sensitive PII if there are unauthorized personnel, contractors, or guests nearby who may overhear your conversation. 25

HUD s Privacy Protection Guidance for Third Parties Manage Access to Sensitive PII Hold meetings in a secure place if sensitive PII will be discussed. Treat notes and minutes from such meetings as confidential unless you can verify that they do not contain sensitive PII. Record the date, time, place, subject, chairperson, and attendees at any meeting involving sensitive PII. 26

HUD s Privacy Protection Guidance for Third Parties Protect Hard Copy and Electronic Files Containing Sensitive PII Clearly label all files containing sensitive PII documents and removal media (example: For Official Use Only) Lock up all hard copy files containing sensitive PII in secured file cabinets and do not leave unattended. Protect all media (thumb drives, CDs, etc.) that contain sensitive PII and do not leave unattended. This information should be maintained either in secured file cabinets or in computers that have been secured. 27

HUD s Privacy Protection Guidance for Third Parties Protect Hard Copy and Electronic Files Containing Sensitive PII Keep accurate records of where PII is stored, used, and maintained Periodically audit all sensitive PII holdings to make sure that all such information can be readily located. 28

HUD s Privacy Protection Guidance for Third Parties Protect Hard Copy and Electronic Files Containing Sensitive PII Secure digital copies of files containing sensitive PII. Protection includes encryption, implementing enhanced authentication mechanisms such as twofactor authentication and limiting the number of people allowed access to the files. Store sensitive PII only on workstations located in areas that have restricted physical access. 29

HUD s Privacy Protection Guidance for Third Parties Protecting Electronic Transmissions of Sensitive PII via fax, email, etc. When faxing sensitive PII, use the date stamp function, confirm the fax number, verify that the intended recipient is available, and confirm that the fax was received. Ensure that none of the transmission is stored in memory on the fax machine, that the fax is in a controlled area, and all paper waste is disposed of properly, (e.g., shredded). When possible, use a fax machine that uses a secure transmission line. 30

HUD s Privacy Protection Guidance for Third Parties Protecting Electronic Transmissions of Sensitive PII via fax, email, etc. Before faxing PII, coordinate with the recipient so that the PII will not be left unattended on the receiving end. When faxing sensitive PII, use only individually controlled fax machines, not central receiving centers. 31

HUD s Privacy Protection Guidance for Third Parties Protecting Electronic Transmissions of Sensitive PII via fax, email, etc. Do not transmit sensitive PII via an unsecured information system (e.g. electronic mail, Internet, or electronic bulletin board) without first encrypting the information. Do not place PII on shared drives, multi-access calendars, the Intranet, or the Internet. 32

HUD s Privacy Protection Guidance for Third Parties Protecting Hard Copy Transmissions of PII via fax, email, etc. Do not remove records about individuals with sensitive PII from facilities where HUD information is authorized to be stored and used unless approval is first obtained from a supervisor. Sufficient justification, as well as evidence of information security, must be presented. 33

HUD s Privacy Protection Guidance for Third Parties Protecting Hard Copy Transmissions of PII via fax, email, etc. Do not use interoffice or translucent envelopes to mail sensitive PII. Use sealable opaque envelopes. Mark the envelope to the person s attention. When using the U.S. Postal Service to deliver information with sensitive PII, double-wrap the documents (e.g. use two envelopes one inside the other) and mark only the inside envelope as confidential with the statement To Be Opened by Addressee Only.) 34

HUD s Privacy Protection Guidance for Third Parties Records Management: Retention and Disposal Follow records management laws, regulations, and policies applicable within your jurisdiction. Do not maintain records longer than required per records management schedules. Dispose of sensitive PII appropriately use shredders for hard copies and permanently erase (not just delete) electronic records. 35

HUD s Privacy Protection Guidance for Third Parties Incident Response Supervisors should ensure that all personnel are familiar with incident response procedures. Promptly report all suspected compromisers of sensitive PII related to HUD programs and projects to HUD S National Help Desk at 1-888-297-8889. 36

Breach Procedure for Housing Counseling Agencies HCA s are responsible for immediately reporting any suspected or known breach of personally identifiable information (PII) as soon as the incident is discovered. Promptly report all suspected compromises of sensitive PII related to HUD programs and projects to HUD s National Help Desk at 1-888-297-8689. 37

Consequences of Non-Compliance The Privacy Act imposes civil penalties when an employee: Unlawfully refuses to amend a record. Unlawfully refuses to grant access to records. Fails to maintain accurate, relevant, timely and complete data. Fails to comply with any Privacy Act provision or agency rule that results in an adverse effect. 38

Consequences of Non-Compliance The Privacy Act imposes criminal penalties: Misdemeanor and a fine of up to $5,000 (for each offense). For knowingly and willfully disclosing Privacy Act information to any person not entitled to receiving it. For maintaining a System of Records without meeting the public notice requirements. For knowingly and willfully requesting or obtaining records under false pretenses. 39

Breach Procedure for Housing Counseling Agencies Full Cooperation The HCA shall cooperate fully with Agency personnel during the investigation. To the extent applicable, the HCA shall assist in the containment, control and safeguarding of information to prevent the breach from re-occurring. Failure to take appropriate action upon discovering the breach, take required steps to prevent a breach from occurring, notify the Agency, or cooperate in the investigation may result in disciplinary actions, parallel enforcement investigations, or litigation. 40

References & Resources The Privacy Act of 1974, http://usdoj.gov/opcl/privstat.htm The E-Government Act of 2002, http://www.whitehouse.gov/omb/memoranda_m03-22/ Federal Information Security Management Act of 2002, Title 3 of e-gov Act of 2002, http://csrc.nist.gov/drivers/documents/fisma-final.pdf 41

Contact 1. In the event of a potential privacy breach, call HUD s National Help Desk at 1-888-297-8689. 2. For all other concerns, contact Janice Noble, HUD s Office of Privacy, privacy@hud.gov 42

National Privacy Program Questions 43

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback