Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program...
-
Upload
britney-tyler -
Category
Documents
-
view
215 -
download
1
Transcript of Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program...
Introduction to the West VirginiaExecutive Branch Privacy Policies
Executive Branch Privacy Program
Education & the ArtsPresented by Heather Butler, Privacy Coordinator, WVDCHMay 2009
Welcome to the Privacy Program!Privacy Program consists of six policies
NoticeConsentIndividual RightsMinimum Necessary and Limited UseSecurity SafeguardsAccountability
These all take effect on August 1, 2009Compliance is required for all Executive Branch
Agencies, including Education & the Arts
Why Have a Privacy Program?The Privacy Program demonstrates our
commitment to respecting people by protecting their information and using it properly
Our commitment extends to all our employees as well as our citizens, service providers and other business partners
The Privacy Program balances individual privacy with our legitimate needs to collect, use and disclose information for Agency business purposes
Policies Govern “PII”PII = personally identifiable information
PII is any information that can be used to identify, locate or contact a person Includes obvious information, such as names and addresses,
Social Security numbers
And less obvious information, such as email addresses, driver’s license numbers, credit card numbers
Even regulated information – Protected Health Information (PHI) is part of PII
Includes information about citizens, co-workers, vendors and employers – every person you encounter
Includes information in every format – computerized or paper
Sensitive PII is a Subset of PIISome PII is classified as “sensitive”
Sensitive PII (or SPII) consists of those elements of PII that require greater protection
All health information and medical records, including (but not limited to) PHI
Social Security numbers, driver’s license numbers
Financial account information, including bank account numbers and payment card information
Privacy Program SummaryPolicies regulate our collection, use, transfer
and storage of PII
They provide for transparency, using privacy notice, and choice
They require that we respect individual rights of access and correction
They demonstrate our willingness to accommodate individual privacy concerns
They require us to answer questions and respond to complaints
NOTICES
What is a Notice?
Why is it important?
Drafting privacy notice
Notice Required for EACH process.
Concept of “Layered Notices”
How are notices delivered”
The Consent Policy Reflects our commitment to giving people
choice about how we collect, use and disclose their PII
Recognizes that sometimes choice isn’t possible
What is choice? - the ability to specify whether PII will be collected and/or how it will be used or disclosed
Opt in vs. opt out
Consent Policy
How the Consent Policy Works Sometimes a person’s consent is required before you
can use PII – if this is true, you must obtain consent
For example, our HIPAA Policy requires consent before a person’s PHI can be shared for fundraising
Sometimes you are required to collect PII – if this is true, you may use the PII even if the person objects
For example, our Communicable Diseases Policy mandates that you disclose some PHI for public health purposes
In most cases, consent is not required – if this is true, you may collect the PII, but you offer individuals choice wherever possible
The Individual Rights PolicyDemonstrates our commitment to
Collecting PII directly from the individual, where possible
Giving individuals the ability to access, copy and amend their PII
Answering questions about our use and handling of PII
Trying to address individual privacy concerns
Individual Rights Policy
Why is Access Important?“Access” is the ability of a person to view the
PII held by an organization
This ability is usually complemented by an ability to update the information
Access rights help ensure accuracy – this is especially important for PII used for substantive decision-making
They also improve accountability – by viewing the PII held, individuals can confirm that we are complying with the promises in our privacy notices
Individual Rights Policy
Respecting Access Rights We have processes for evaluating access
requests and providing access to PII
We also have a process for updating PII, if it’s not accurate
REFER REQUESTS TO PRIVACY COORDINATOR OR PRIVACY OFFICER
The Minimum Necessary and Limited Use Principle Demonstrates our commitment to only
collecting the PII that we really need for Agency business
Requires us to give people choice when we collect PII that isn’t strictly necessary for the process at hand
Minimum Necessary Policy
Why is Min Necessary Important? Demonstrates respect for privacy by
addressing one of the most common concerns, “excessive” collection of PII
Forces us to think about the purposes for the processing – and the purposes for each element of PII that we request
Helps ensure we keep our privacy promises by limiting the opportunity for mission creep
Minimum Necessary Policy
Limit Collection of PII Determine what elements of PII you really need for a
process - e.g., the PII you must collect
If you wish to collect addition elements of PII, you MAY do so if:
You have a specific purpose for the PII, related to legitimate Agency business
That purpose is described in the privacy notice, AND
You offer individuals choice, so they can decline to provide the PII
You may not require an individual to provide more than the minimum necessary PII
Minimum Necessary Policy
Limit Collection of PII - Example You run a state campground. To enable camping,
you must collect the person’s name and payment information
You may collect an emergency contact, in case something bad happens
You may collect an email address, in case you send happy camper email newsletters
You may collect demographic data or conduct surveys, in case you want to know more about your customers and what they’d like from your campground
You cannot require emergency contacts, email addresses or survey responses – but you may certainly ask
Your privacy notice must address all the elements
Minimum Necessary Policy
Limit Disclosure of PII
When disclosing PII to third parties (such as vendors or other agencies), only disclose those elements of PII that are needed by the third party
Extract the required elements of PII, and don’t share anything else
The Security Safeguards PolicyYou cannot respect privacy unless you secure the PII
The Security Safeguards Policy requires each Agency to have appropriate controls to protect PII
We protect the PII from (i) anticipated threats or hazards, and (ii) unauthorized access, use or disclosure
We protect ALL PII, with special attention on sensitive PII
We protect PII in all formats – paper or computerized
We collaborate with the Office of Technology (OT) on information security requirements
Security Safeguards Policy
Comply with OT Policies The most important requirement is that you
follow all the OT security rules
http://www.state.wv.us/ot/PDF/Document_center/SecurityPol0107.pdf
Take a few moments to review these rules and make sure you understand exactly how they apply to your daily activities
Ask questions if you aren’t sure!
Also review the Agency Acceptable Use Policy
Security Safeguards Policy
Security Incidents A “Security Incident” is any incident that
compromises the security, confidentiality, or integrity of PII (with or without SPII)
Unauthorized Disclosures of PII are always security incidents
Other examples:
Lost or stolen laptop or device (PDA, cell phone) Lost or stolen storage media (memory stick, CD-ROM) Lost or stolen paper records Lost or compromised password or access card Presence of viruses, spyware or other malicious code
of a computer or devices
Security Safeguards Policy
Security Incidents Even the very best organizations have security
incidents
Workers in the best organizations watch for incidents and report them immediately
This allows the Privacy Officer and security teams to manage the risks and limit damage
Your job is to report all incidents to your manager, the Privacy Officer or the Helpdesk as soon as you become aware of a problem!
The Accountability Policy Everyone is responsible for privacy and security
Everyone has access to lots of PII and SPII – about your co-workers, citizens we serve, our business partners
It is your job to understand how the Privacy Policies apply to the PII you have
It is your job to forward questions and complaints to your manager or the Privacy Officer
It is also your job to tell us about any mistakes that might compromise or expose PII
The Accountability Policy
What It Means For YouRead the Policies – be sure your understand
how they apply to your day-to-day activities
Ask questions – if you aren’t sure of something, ask you manager or the Privacy Officer
Don’t be afraid to say no – you have the power to question anything that doesn’t seem right!
Call the OT Helpdesk if you have any security questions
Report complaints, violations and mistakes IMMEDIATELY
The Accountability Policy
Names & Numbers to KnowOT Helpdesk
(304) 558-1257
Agency Privacy Officer
WVDCH
Heather Butler: (304) 558-0220
Education and the Arts
Tiffany Redman: (304) 558-2440
Questions & Comments