introduction to the west virginia executive branch privacy policies executive branch privacy program...
TRANSCRIPT
![Page 1: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/1.jpg)
Introduction to the West VirginiaExecutive Branch Privacy Policies
Executive Branch Privacy Program
Education & the ArtsPresented by Heather Butler, Privacy Coordinator, WVDCHMay 2009
![Page 2: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/2.jpg)
Welcome to the Privacy Program!Privacy Program consists of six policies
NoticeConsentIndividual RightsMinimum Necessary and Limited UseSecurity SafeguardsAccountability
These all take effect on August 1, 2009Compliance is required for all Executive Branch
Agencies, including Education & the Arts
![Page 3: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/3.jpg)
Why Have a Privacy Program?The Privacy Program demonstrates our
commitment to respecting people by protecting their information and using it properly
Our commitment extends to all our employees as well as our citizens, service providers and other business partners
The Privacy Program balances individual privacy with our legitimate needs to collect, use and disclose information for Agency business purposes
![Page 4: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/4.jpg)
Policies Govern “PII”PII = personally identifiable information
PII is any information that can be used to identify, locate or contact a person Includes obvious information, such as names and addresses,
Social Security numbers
And less obvious information, such as email addresses, driver’s license numbers, credit card numbers
Even regulated information – Protected Health Information (PHI) is part of PII
Includes information about citizens, co-workers, vendors and employers – every person you encounter
Includes information in every format – computerized or paper
![Page 5: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/5.jpg)
Sensitive PII is a Subset of PIISome PII is classified as “sensitive”
Sensitive PII (or SPII) consists of those elements of PII that require greater protection
All health information and medical records, including (but not limited to) PHI
Social Security numbers, driver’s license numbers
Financial account information, including bank account numbers and payment card information
![Page 6: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/6.jpg)
Privacy Program SummaryPolicies regulate our collection, use, transfer
and storage of PII
They provide for transparency, using privacy notice, and choice
They require that we respect individual rights of access and correction
They demonstrate our willingness to accommodate individual privacy concerns
They require us to answer questions and respond to complaints
![Page 7: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/7.jpg)
NOTICES
What is a Notice?
Why is it important?
Drafting privacy notice
Notice Required for EACH process.
Concept of “Layered Notices”
How are notices delivered”
![Page 8: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/8.jpg)
The Consent Policy Reflects our commitment to giving people
choice about how we collect, use and disclose their PII
Recognizes that sometimes choice isn’t possible
What is choice? - the ability to specify whether PII will be collected and/or how it will be used or disclosed
Opt in vs. opt out
![Page 9: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/9.jpg)
Consent Policy
How the Consent Policy Works Sometimes a person’s consent is required before you
can use PII – if this is true, you must obtain consent
For example, our HIPAA Policy requires consent before a person’s PHI can be shared for fundraising
Sometimes you are required to collect PII – if this is true, you may use the PII even if the person objects
For example, our Communicable Diseases Policy mandates that you disclose some PHI for public health purposes
In most cases, consent is not required – if this is true, you may collect the PII, but you offer individuals choice wherever possible
![Page 10: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/10.jpg)
The Individual Rights PolicyDemonstrates our commitment to
Collecting PII directly from the individual, where possible
Giving individuals the ability to access, copy and amend their PII
Answering questions about our use and handling of PII
Trying to address individual privacy concerns
![Page 11: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/11.jpg)
Individual Rights Policy
Why is Access Important?“Access” is the ability of a person to view the
PII held by an organization
This ability is usually complemented by an ability to update the information
Access rights help ensure accuracy – this is especially important for PII used for substantive decision-making
They also improve accountability – by viewing the PII held, individuals can confirm that we are complying with the promises in our privacy notices
![Page 12: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/12.jpg)
Individual Rights Policy
Respecting Access Rights We have processes for evaluating access
requests and providing access to PII
We also have a process for updating PII, if it’s not accurate
REFER REQUESTS TO PRIVACY COORDINATOR OR PRIVACY OFFICER
![Page 13: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/13.jpg)
The Minimum Necessary and Limited Use Principle Demonstrates our commitment to only
collecting the PII that we really need for Agency business
Requires us to give people choice when we collect PII that isn’t strictly necessary for the process at hand
![Page 14: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/14.jpg)
Minimum Necessary Policy
Why is Min Necessary Important? Demonstrates respect for privacy by
addressing one of the most common concerns, “excessive” collection of PII
Forces us to think about the purposes for the processing – and the purposes for each element of PII that we request
Helps ensure we keep our privacy promises by limiting the opportunity for mission creep
![Page 15: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/15.jpg)
Minimum Necessary Policy
Limit Collection of PII Determine what elements of PII you really need for a
process - e.g., the PII you must collect
If you wish to collect addition elements of PII, you MAY do so if:
You have a specific purpose for the PII, related to legitimate Agency business
That purpose is described in the privacy notice, AND
You offer individuals choice, so they can decline to provide the PII
You may not require an individual to provide more than the minimum necessary PII
![Page 16: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/16.jpg)
Minimum Necessary Policy
Limit Collection of PII - Example You run a state campground. To enable camping,
you must collect the person’s name and payment information
You may collect an emergency contact, in case something bad happens
You may collect an email address, in case you send happy camper email newsletters
You may collect demographic data or conduct surveys, in case you want to know more about your customers and what they’d like from your campground
You cannot require emergency contacts, email addresses or survey responses – but you may certainly ask
Your privacy notice must address all the elements
![Page 17: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/17.jpg)
Minimum Necessary Policy
Limit Disclosure of PII
When disclosing PII to third parties (such as vendors or other agencies), only disclose those elements of PII that are needed by the third party
Extract the required elements of PII, and don’t share anything else
![Page 18: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/18.jpg)
The Security Safeguards PolicyYou cannot respect privacy unless you secure the PII
The Security Safeguards Policy requires each Agency to have appropriate controls to protect PII
We protect the PII from (i) anticipated threats or hazards, and (ii) unauthorized access, use or disclosure
We protect ALL PII, with special attention on sensitive PII
We protect PII in all formats – paper or computerized
We collaborate with the Office of Technology (OT) on information security requirements
![Page 19: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/19.jpg)
Security Safeguards Policy
Comply with OT Policies The most important requirement is that you
follow all the OT security rules
http://www.state.wv.us/ot/PDF/Document_center/SecurityPol0107.pdf
Take a few moments to review these rules and make sure you understand exactly how they apply to your daily activities
Ask questions if you aren’t sure!
Also review the Agency Acceptable Use Policy
![Page 20: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/20.jpg)
Security Safeguards Policy
Security Incidents A “Security Incident” is any incident that
compromises the security, confidentiality, or integrity of PII (with or without SPII)
Unauthorized Disclosures of PII are always security incidents
Other examples:
Lost or stolen laptop or device (PDA, cell phone) Lost or stolen storage media (memory stick, CD-ROM) Lost or stolen paper records Lost or compromised password or access card Presence of viruses, spyware or other malicious code
of a computer or devices
![Page 21: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/21.jpg)
Security Safeguards Policy
Security Incidents Even the very best organizations have security
incidents
Workers in the best organizations watch for incidents and report them immediately
This allows the Privacy Officer and security teams to manage the risks and limit damage
Your job is to report all incidents to your manager, the Privacy Officer or the Helpdesk as soon as you become aware of a problem!
![Page 22: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/22.jpg)
The Accountability Policy Everyone is responsible for privacy and security
Everyone has access to lots of PII and SPII – about your co-workers, citizens we serve, our business partners
It is your job to understand how the Privacy Policies apply to the PII you have
It is your job to forward questions and complaints to your manager or the Privacy Officer
It is also your job to tell us about any mistakes that might compromise or expose PII
![Page 23: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/23.jpg)
The Accountability Policy
What It Means For YouRead the Policies – be sure your understand
how they apply to your day-to-day activities
Ask questions – if you aren’t sure of something, ask you manager or the Privacy Officer
Don’t be afraid to say no – you have the power to question anything that doesn’t seem right!
Call the OT Helpdesk if you have any security questions
Report complaints, violations and mistakes IMMEDIATELY
![Page 24: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/24.jpg)
The Accountability Policy
Names & Numbers to KnowOT Helpdesk
(304) 558-1257
Agency Privacy Officer
WVDCH
Heather Butler: (304) 558-0220
Education and the Arts
Tiffany Redman: (304) 558-2440
![Page 25: Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,](https://reader030.vdocuments.mx/reader030/viewer/2022032803/56649e355503460f94b24848/html5/thumbnails/25.jpg)
Questions & Comments