Privacy Awareness

Walter Clay
17 May 2018

1
P U T T I N G T H E
EBC F A M I L Y B A C K T O G E T H E R
 Lesson Objectives

After completing this lesson, students will be able to:

 Define privacy
 Identify laws governing PII
 Define PII and list examples

2
P U T T I N G T H E
EBC F A M I L Y B A C K T O G E T H E R
 Lesson Overview

During this lesson, the following topics will be discussed:

 What is Privacy?
 Laws and guidance governing PII
 Personally Identifiable Information
 Possible Consequences of Privacy Violations

Rules of Engagement:
 Participate
 Ask questions

3
EBC
 What Is Privacy?

Privacy is a set of fair information practices to ensure:

 Personal information is accurate, relevant, and current.
 All uses of information are known and appropriate.
 Personal identifiable information is protected.

Privacy also:
 Allows individuals a choice in how their information is used or disclosed.
 Assures that personal data will be used and viewed for official purposes only.
 Enables trust between an organization and the public.

4
EBC
 Definition of PII

PII is any information which can be used to distinguish or trace an individual’s identity, such as
their name, social security number, date and place of birth, mother’s maiden name, as well as
biometric records, in addition to any other personal information which is linked or linkable to an
individual that permits the identity of an individual to be directly or indirectly inferred.

PII is any data that could potentially identify a specific individual. Any information that can be
used to distinguish one person from another and can be used for de-anonymizing anonymous
data can be considered PII.

5
EBC
 Definition of Linked and Linkable

Linked Individual information that is logically associated with other

data to the individual.

Linkable Information collected from

many unrelated sources.

6
EBC
Key Laws Governing PII

 Privacy Act of 1974: Provides guidance for the collection, use, management, and disclosure
of personal information.
 Health Insurance Portability and Accountability Act (HIPAA) of 1996: Restricts use and
disclosure of protected health information (PHI) and grants individuals access to records.
 Children’s Online Privacy Protection Act COPPA 1998: Requires that parental consent be
obtained for websites that gather personal information on kids under the age of 13.
 E-Government Act of 2002, Title II and III: Requires federal agencies to assess impact of
privacy for systems that collect information about members of the public.

7
EBC
 Key Privacy Guidance

 Office of Management and Budget Mandate M-07-16 2007: Requires safeguards for PII in
electronic or paper format and policies and procedures for privacy incident reporting and
handling.
 National Institutes of Standards and Technology (NIST) Special Publication 800-53,
Revision 4, Security and Privacy Controls for Federal Information Systems and
Organizations: In Appendix J, NIST provides a structured, standardized set of privacy
controls that all systems and organizations must address.

8
EBC
 Categories of PII

 PII which is any information that permits the identity of an individual to be directly or
indirectly inferred, including any information that is linked or linkable to that individual.
 Sensitive PII, is PII, which if lost, compromised, or disclosed without authorization, could
result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.
 Protected Health Information (PHI), under US law is any information about health status,
provision of health care, or payment for health care that is created or collected by a
"Covered Entity" (or a Business Associate of a Covered Entity), and can be linked to a
specific individual.
 Indirect (Anonymous) PII, Information that can be combined with other information to
identify a specific individual

9
EBC
 Common Examples of PII

 Name
 Social Security number (SSN)
 Date of birth (DOB)
 Mother’s maiden name
 Financial records
 Email address
 Driver’s license number
 Passport number
 Health information

10
P U T T I N G T H E
EBC F A M I L Y B A C K T O G E T H E R
 “Rolodex Exception”

 Name (full or partial)

 Business street address
 Business phone numbers, including fax
 Business e-mail addresses
 Business organization

“Identifies Business Rolodex Information as a specific context in which the

privacy risk for the individuals and/or the respective agency is so low that it
does not trigger the Privacy Overlay”

11
P U T T I N G T H E
EBC F A M I L Y B A C K T O G E T H E R
 Indirect (Anonymous) PII

The important thing to remember:

the more information that is
combined the greater the risk of
identifying a specific individual

E.g., A social security number without a name is unlikely to

result in the identification of an individual; however, a name
and social security number are very likely to result in the
identification of an individual

12
EBC
 What Identity Thieves Want (Your PII)

You should take the time to inventory your relationships with companies, organizations and
individuals your trust with your personally identifiable information or PII. See how your identity is
a PII Chart or a picture of relationships you have created. Once you visualize the slices of your
PII, managing your identity becomes easier.

13
 Need to Know

Follow the “need to know” principle:

 Only release information to personnel who have a “need-to-know”
 Only release the “minimum necessary” to meet the needs of the request

Protect PII:
 Collect, access, use, and disclose personal information only for reasons that are for a
legitimate job function and allowed by law.
 Safeguard personal information in your possession.
 Properly dispose of documents containing PII.
 Report suspected privacy violations or incidents.

14
EBC
 Possible Consequences of Privacy Violations

Privacy violations have several possible consequences:

 Employee discipline.
 Fines.
 Criminal charges.
Civil Remedies:
 The cost of actual damages suffered ($1000 minimum)
 Costs and reasonable attorney’s fees.
Criminal Penalties:
 Charge of a misdemeanor
 Maximum fine of $5,000

15
EBC
16
EBC
 Lesson Summary

Students will now be able to:

 Define privacy
 Identify laws and guidance governing PII
 Define PII and list examples

During this lesson, the following topics were discussed:

 Privacy and its importance
 Laws and guidance governing PII
 Personally Identifiable Information
 Possible Consequences of Privacy Violations

17
P U T T I N G T H E
EBC F A M I L Y B A C K T O G E T H E R
18
P U T T I N G T H E
EBC F A M I L Y B A C K T O G E T H E R
19
P U T T I N G T H E
EBC F A M I L Y B A C K T O G E T H E R
20
EBC
EBC