Elements of a Good Privacy Program (Part Two)

By DON CIO Privacy Team - Published, November 4, 2010

This is part two of Elements of a Good Privacy Program and serves as a best practices guide to help Department of the Navy commands/units implement and sustain privacy awareness and better safeguard personally identifiable information within their control.

The information in this Privacy Tip was adapted from the Federal CIO Council Privacy Committee's June 2010 guide titled, "Elements of a Federal Privacy Program." These best practices may be integrated at any organizational level within the Department -- command, department, division, office or program -- that is responsible or accountable for protecting privacy information.

There are seven elements that provide the basis for a robust DON privacy program. A strong and multifaceted privacy program will help ensure that commands/units consider privacy protections and controls when making business decisions involving the collection, use, sharing, retention, disclosure and destruction of personally identifiable information (PII), whether in paper or electronic form. These seven elements may also influence business decisions involving the use of new technologies or other interactions with the public, contractors or employees that may not involve the collection and use of PII but may raise privacy risks or concerns (e.g., use of third party websites, surveillance cameras, global positioning systems or body imaging screening devices).

The seven elements as described in the "Elements of a Federal Privacy Program" are:

1. Leadership
2. Privacy Risk Management and Compliance Documentation
3. Information Security
4. Incident Response
5. Notice and Redress for Individuals
6. Privacy Training and Awareness
7. Accountability

The first three were addressed in the previous Privacy Tip. The next four are addressed in this Privacy Tip beginning with:

Incident Response

Commands/units are responsible for providing information security protections and complying with security standards and guidelines. Procedures must be established for all levels of responders to detect, report and respond to privacy incidents involving the suspected or confirmed breach of PII. This requires educating all employees and contractors on when and how to report privacy incidents. Employees and contractors include all personnel, including any employee, contractor, company, consultant, partner, detailee, or other government agency that is performing a federal function on behalf of the DON. Even with the implementation and monitoring of privacy and security controls, it is inevitable that commands/units will experience privacy incidents. Being prepared to respond to and mitigate these risks before substantial damage is done is critical to the success of a privacy program. In all breaches the command that discovers the loss, theft or compromise of PII information has a duty to report that a breach has occurred using SECNAV 5211/1. The accountable command has the responsibility of notifying affected personnel when directed by DON CIO and providing supplemental breach report information when available using SECNAV 5211/2.

DON CIO breach reporting guidance identifies the steps a command/unit must take to report PII breaches, notify affected personnel when directed and take corrective action to mitigate potential harm to affected personnel. Additionally, commands/units must provide and apply lessons learned to prevent similar occurrences from happening. The command/unit that discovers the known or suspected loss, theft or compromise of PII must report the incident within one hour. When directed, the responsible command/unit must notify the affected personnel within 10 days of the breach report. These actions and timelines also apply to contractors who are performing a function involving PII on behalf of the DON.

Commands/units may consider, as part of their privacy incident response, using the General Services Administration's blanket purchase agreements to expedite notification and credit monitoring (or similar services) as needed to protect individuals and the organization, and minimize the impact of privacy incidents.

To implement the DON breach reporting policy, commands/units may establish a breach response team. The team can include the Privacy Act coordinator, the manager of the program affected by the breach, the information assurance manager, the public affairs officer and legal counsel. Roles and responsibilities should clearly delineate the responsibilities of personnel, program managers, security managers and senior leadership for:

• Reporting suspected or confirmed incidents involving PII;
• Convening the breach response team to determine the appropriate course of action in the event of a privacy incident; and
• Notifying US-CERT within one hour of discovery and applicable organizations within the chain of command and, when directed by the DON CIO Privacy Office, notifying affected individuals within 10 days of the initial breach report.

The local Privacy Act coordinator is responsible for ensuring that commands/units provide notice to the public (through Privacy Act Statements, online and other public-facing privacy policies, Privacy Impact Assessments (PIAs), and System of Records Notices (SORNs)) about how a program, system or technology will impact their privacy. For example, the notice will describe how PII will be used, shared, retained, disclosed and destroyed. In general, notice should be provided prior to and/or at the time of information collection or creation, unless otherwise directed by applicable laws, directives, policies or regulations.

Notice should inform individuals about:

• What information is being collected;
• The purpose of the collection;
• How the information is used;
• To whom the information is disclosed and shared;
• Individuals' rights under the Privacy Act to access and amend or correct their records to the extent practicable; and
• The types of redress programs available.

Organizations are encouraged to supplement traditional notice methods with more transparent methods outlined in OMB M-10-06: "Open Government Directive."

Commands/units should also have in place policies and procedures for managing privacy complaints or inquiries. Such procedures should ensure that all complaints are recorded, tracked and addressed. Where feasible, organizations should establish an automated tracking process to capture and manage privacy complaints, to promote compliance with written policies and procedure, and to ensure all complaints are addressed.

Privacy Training and Awareness

Privacy training and awareness programs are key elements of building a culture of privacy throughout the DON. Training programs reinforce the implementation of privacy policy and reduce the risk of privacy incidents throughout the Department. Training and awareness are critical elements of an effective privacy program. ALNAV 070/07: "DON Personally Identifiable Information Annual Training Policy" requires that all DON employees and contractors receive mandatory annual privacy training. Successful completion must be documented and on file no later than September 1 of each year. A best practice is that all personnel must successfully complete privacy training before permitted access to DON information and information systems. Additional or advanced training should also be provided commensurate with increased responsibilities or change in duties. Another best practice is to require those personnel who cause or commit a PII breach to take PII refresher training with documented completion for every reportable breach. Both the annual and PII refresher training should include acceptable rules of behavior and the consequences when the rules are not followed. For commands that have authorized telework and other remote access programs, training should also include the rules of such programs. A new PII refresher training course will be available during the winter of 2011.

OMB M-07-16: "Safeguarding Against and Responding to the Breach of Personally Identifiable Information" requires that organizations provide targeted, role-based training to managers, Privacy Act officers and individuals with privacy responsibilities as needed to fulfill specific privacy management responsibilities. Additional or advanced training should be provided, commensurate with increased responsibilities or changes in duties, to those employees and contractors who handle PII. An organization should provide advanced training to ensure that individuals are fully aware of privacy protection requirements specific to the data and records they process and as outlined in the applicable SORN and/or PIAs. Privacy training should be provided commensurate with clearly defined roles and: before authorizing access to the information system or performing assigned duties; when required by system changes; and as the sensitivity of the PII warrants. Where feasible, privacy and awareness training should be offered online via computer-based training or an internal learning management system/training delivery system.

Commands/units should augment privacy training for all individuals with creative methods that promote ongoing awareness of privacy and security responsibilities (e.g., weekly Plan Of the Day notes, posters and annual stand downs). Use of the "Department of the Navy User's Guide to Personally Identifiable Information" is also highly encouraged. Many of these tools may be downloaded from the DON CIO website.

Accountability is another key principle. Commands/units are accountable for compliance with all applicable privacy protection requirements, including all legal authorities and established policies and procedures that protect privacy and govern the collection, use, dissemination and maintenance of PII. This also includes auditing for the use of PII to demonstrate compliance with established privacy controls and guidance. Accountability through effective monitoring and measurement controls demonstrates that commands/units are complying with all of its applicable privacy protection requirements.

Commands/units are accountable for ensuring that the first six elements are successfully executed. In turn, when successfully implemented, each element itself includes aspects of accountability as follows:

Element 1: Leadership: Command/unit leadership should establish effective privacy programs at the local level implementing policy, compliance and training throughout the privacy program. Corrective action should be taken immediately where vulnerabilities exist, and personal accountability actions should be taken when applicable. See the DON table of potential consequences and penalties for the mishandling/improper safeguarding of PII.

Element 2: Privacy Risk Management and Compliance Documentation: The organization is accountable for identifying privacy risk in its business processes and IT systems and for implementing mechanisms to ensure the organization documents are in compliance with laws, regulations, and policies governing the protection of privacy. The organization is accountable for applying a risk-based approach to the management of privacy.

Element 3: Information Security: Commands/units are accountable for protecting PII that they collect, use, share, retain, disclose, turn-in and physically destroy, through appropriate administrative, technical and physical safeguards.

Element 4: Incident Response: Commands/units are accountable for having a robust plan for managing incidents involving the potential or actual leakage of PII that includes notification to appropriate DON leadership, affected personnel and members of the public where appropriate.

Element 5: Notice and Redress for Individuals: Commands/units are accountable for providing transparency through clear notice to the public about the organization's information handling practices and mechanisms for individual participation to ensure appropriate access, correction and redress regarding the use of PII.

Element 6: Privacy Training and Awareness: Commands/units are accountable for ensuring all employees and contractors under their control have successfully completed PII training. Role-based PII training should also be provided commensurate with employee responsibilities and job assignment.

Accountability

Additional aspects of accountability include:

Commands/units must perform compliance spot checks two times per year ensuring proper controls are in place to safeguard privacy sensitive information in accordance with applicable privacy laws, regulations, Department of Defense, DON and local command policies, and any other established privacy controls.

Internal and external reporting are typical requirements to ensure full accountability. In some instances, automated tools can be used to support reporting requirements.

Commands/units may elect to require internal reporting. Internal reporting may take several forms, such as weekly or monthly reporting to senior management on privacy program activities and progress. Commands/units also may require sub-organization or component program progress and compliance reporting to their individual leadership as well as to the Senior Agency Official for Privacy/Chief Privacy Official. Organizations should review incident reporting data at least quarterly to assess both enterprise and component compliance.

The Federal Information Security Management Act (FISMA) requires each federal agency to develop, document and implement an agency-wide information security program. Commands/units are required to report quarterly and annually to Navy and Marine Corps privacy offices their progress in conducting PIAs and issuing SORNs for IT systems that are required to go through FISMA certification and accreditation. An organization's quarterly and annual FISMA reports include statistics on required and completed PIAs and SORNs for systems that are operational or that are registered in the DITPR-DON database.

TAGS: IA, IDManagement, Privacy