Elements of a Good Privacy Program

By DON CIO Privacy Team - Published, October 12, 2010

This Privacy Tip will be published in two parts and serves as a best practices guide to help Department of the Navy commands/units implement and sustain privacy awareness and better safeguard personally identifiable information within their control.

The information in this Privacy Tip was adapted from the Federal CIO Council Privacy Committee's June 2010 guide titled, "Elements of a Federal Privacy Program." These best practices may be integrated at any organizational level within the Department -- command, department, division, office or program -- that is responsible or accountable for protecting privacy information.

There are seven elements that provide the basis for a robust DON privacy program. A strong and multifaceted privacy program will help ensure that commands/units consider privacy protections and controls when making business decisions involving the collection, use, sharing, retention, disclosure and destruction of personally identifiable information (PII), whether in paper or electronic form. These seven elements may also influence business decisions involving the use of new technologies or other interactions with the public, contractors or employees that may not involve the collection and use of PII but may raise privacy risks or concerns (e.g., use of third party websites, surveillance cameras, global positioning systems or body imaging screening devices).

The seven elements as described in the "Elements of a Federal Privacy Program" are:

1. Leadership
2. Privacy Risk Management and Compliance Documentation
3. Information Security
4. Incident Response
5. Notice and Redress for Individuals
6. Privacy Training and Awareness
7. Accountability

Leadership

The success of a command's/unit's privacy program depends on the support of its leadership. The Under Secretary of the Navy (UNSECNAV) stated his commitment to protecting PII in the Feb. 2, 2010, memo, "Safeguarding Personally Identifiable Information." In it he stated, "Our Sailors, Marines, and civilians, along with their dependents, expect us to keep their PII safe, and it is our charge to ensure that all systems and processes we employ adequately safeguard this information. We cannot tolerate the continued loss of this data as it directly impacts the morale, security and financial well-being of our personnel. I want to convey the seriousness I place on personal privacy and the safe management of DON PII, and intend to make eradicating further PII breaches a Departmental priority."

Additionally, the U.S. Navy made privacy a Fiscal Year 2011 objective, setting goals and standards to improve the handling of PII and increase privacy awareness across the Department. Following the Under Secretary of the Navy's lead, the Chief of Naval Operations released NAVADMIN 125/10: "Safeguarding Personally Identifiable Information" and the Commandant of the Marine Corps released MARADMIN 162/10: "Safeguarding Personally Identifiable Information," stating their strong support of an effective privacy program among their respective services. Further, the UNSECNAV designated the DON Chief Information Officer as the Senior Military Component Official for Privacy (SMCOP) in the memo, "DON Privacy Program and Appointment of the Senior Military Component Official for Privacy." The SMCOP has oversight of the DON Privacy Program with the authority to manage and implement an effective privacy program.

Support from the commanding officer may include: making it clear to subordinates that privacy issues are integral to the command/unit accomplishing its mission; communicating the importance of privacy to staff; participating in selected privacy programs and initiatives; and providing adequate resources to support a robust privacy program. Each command/unit should designate as a primary or collateral duty a Privacy Act coordinator or a privacy official who can develop and implement command/unit policies and be the focal point of their privacy program. Each command/unit needs to evaluate its particular situation to determine the appropriate management structure for privacy. Relevant authorities include those specifically delineated by SECNAV 5211.5E: "DON Privacy Program," as well as requirements set forth by subordinate instructions or directives.

Privacy Risk Management and Compliance Documentation

The Privacy Impact Assessment (PIA) and System of Records Notice (SORN) are the key tools through which organizations identify holdings of PII, assess privacy risks and implement privacy protections in their systems and programs. As part of the privacy compliance process the Privacy Act coordinator or privacy official works with program managers, system owners and IT security personnel to ensure that sound privacy practices and controls are integrated into the command's/unit's operations and activities that impact privacy. Naval message DTG 181430Z MAY 09: "DON Privacy Impact Assessment Guidance" requires a PIA for all IT systems whether or not they collect PII. As stated in OMB M-10-23: “Guidance for Agency Use of Third-Party Websites and Applications" a blanket or "Adapted" PIA is also required for third party social media.

The Privacy Act requires Federal agencies to issue SORNs for every system of records under their control that collects PII and from which a person's records are retrieved by a unique identifier. A SORN is a legal document used to promote transparency and provide notice to the public regarding their rights and procedures for accessing and correcting PII maintained by the agency.

Another PII tool is the Privacy Act Statement (PAS). A PAS is required on all official forms (paper and electronic) that the organization uses to collect PII from members of the public or Federal employees. These statements inform individuals at the time their information is collected what the legal authority for and purpose of the collection is, and how the organization will use the information. Privacy Act Statements also notify individuals whether providing the information requested is mandatory or voluntary and the consequences of failing to provide the information.

The DON PII Spot Check Form is used to ensure DON privacy policies and best business practices are incorporated into local command/unit privacy programs. The form addresses key areas of privacy that require special handling, including websites, shared drives, laptop computers, disposal and paper document storage. Use of the DON PII Spot Check Form is required by all commands/activities that handle, store, transmit or use PII. (See: ALNAV 070/07: "DON Personally Identifiable Information Annual Training Policy.") This PII compliance tool may be tailored to specific command/unit needs and must be completed twice a year. The results of the spot check and the follow-on actions must be on file at the local command/unit.

Information Security

Robust privacy and security programs are essential to the protection of PII collected, used, shared, retained, disclosed and destroyed by the command/unit. Privacy and information security programs are dependent on each other and have complementary objectives. The Privacy Act expressly requires that PII be secured and that the confidentiality, integrity and availability of the data be maintained. The E-Government Act places additional security responsibilities on commands/units. A close partnership between the Privacy Act coordinator and the information assurance manager (IAM) is critical to the success of these programs. The PA coordinator/privacy official must keep the IAM informed of current privacy protection requirements for PII as set forth by statute, regulation and/or policy. Whenever feasible, commands/units should use appropriate technologies (e.g., data at rest and data loss protection) for privacy-related data management.

The PA coordinator/privacy official must direct action to minimize the collection or retention of PII to only information that is necessary and relevant to the mission. This is important to mitigate the risk of information being compromised, inadvertently exposed or stolen. If the organization does not need the data, then it should not be collected. In this instance, a "less-is-more" approach will actually enhance information security. Records containing PII must be maintained in accordance with the DON Records Management Manual and retention, disposition and destruction schedules to further support the goals of privacy and security must be established and enforced.

It is vital that organizations incorporate security and privacy risk mitigation in the earliest project and lifecycle planning stages, providing project managers with the opportunity to build security and privacy directly into processes and tools. Integrated security and privacy controls are more effective, easier to maintain and typically have lower lifecycle costs. Failure to do so not only can cause individual harm to those whose information is compromised or lost, but also may cause the organization to suffer significant loss of reputation and loss of public trust. Information security must be made a priority at every level of the command/unit and this message must be continually reinforced.

Next month's Privacy Tip will include the remaining elements of a good privacy program.

TAGS: IDManagement, Privacy, RM