Introduction to the West VirginiaExecutive Branch Privacy Policies

Executive Branch Privacy Program

Education & the ArtsPresented by Heather Butler, Privacy Coordinator, WVDCHMay 2009

Welcome to the Privacy Program!Privacy Program consists of six policies

NoticeConsentIndividual RightsMinimum Necessary and Limited UseSecurity SafeguardsAccountability

These all take effect on August 1, 2009Compliance is required for all Executive Branch

Agencies, including Education & the Arts

Why Have a Privacy Program?The Privacy Program demonstrates our

commitment to respecting people by protecting their information and using it properly

Our commitment extends to all our employees as well as our citizens, service providers and other business partners

The Privacy Program balances individual privacy with our legitimate needs to collect, use and disclose information for Agency business purposes

Policies Govern “PII”PII = personally identifiable information

PII is any information that can be used to identify, locate or contact a person Includes obvious information, such as names and addresses,

Social Security numbers

And less obvious information, such as email addresses, driver’s license numbers, credit card numbers

Even regulated information – Protected Health Information (PHI) is part of PII

Includes information about citizens, co-workers, vendors and employers – every person you encounter

Includes information in every format – computerized or paper

Sensitive PII is a Subset of PIISome PII is classified as “sensitive”

Sensitive PII (or SPII) consists of those elements of PII that require greater protection

All health information and medical records, including (but not limited to) PHI

Social Security numbers, driver’s license numbers

Financial account information, including bank account numbers and payment card information

Privacy Program SummaryPolicies regulate our collection, use, transfer

and storage of PII

They provide for transparency, using privacy notice, and choice

They require that we respect individual rights of access and correction

They demonstrate our willingness to accommodate individual privacy concerns

They require us to answer questions and respond to complaints

NOTICES

What is a Notice?

Why is it important?

Drafting privacy notice

Notice Required for EACH process.

Concept of “Layered Notices”

How are notices delivered”

The Consent Policy Reflects our commitment to giving people

choice about how we collect, use and disclose their PII

Recognizes that sometimes choice isn’t possible

What is choice? - the ability to specify whether PII will be collected and/or how it will be used or disclosed

Opt in vs. opt out

Consent Policy

How the Consent Policy Works Sometimes a person’s consent is required before you

can use PII – if this is true, you must obtain consent

For example, our HIPAA Policy requires consent before a person’s PHI can be shared for fundraising

Sometimes you are required to collect PII – if this is true, you may use the PII even if the person objects

For example, our Communicable Diseases Policy mandates that you disclose some PHI for public health purposes

In most cases, consent is not required – if this is true, you may collect the PII, but you offer individuals choice wherever possible

The Individual Rights PolicyDemonstrates our commitment to

Collecting PII directly from the individual, where possible

Giving individuals the ability to access, copy and amend their PII

Answering questions about our use and handling of PII

Trying to address individual privacy concerns

Individual Rights Policy

Why is Access Important?“Access” is the ability of a person to view the

PII held by an organization

This ability is usually complemented by an ability to update the information

Access rights help ensure accuracy – this is especially important for PII used for substantive decision-making

They also improve accountability – by viewing the PII held, individuals can confirm that we are complying with the promises in our privacy notices

Individual Rights Policy

Respecting Access Rights We have processes for evaluating access

requests and providing access to PII

We also have a process for updating PII, if it’s not accurate

REFER REQUESTS TO PRIVACY COORDINATOR OR PRIVACY OFFICER

The Minimum Necessary and Limited Use Principle Demonstrates our commitment to only

collecting the PII that we really need for Agency business

Requires us to give people choice when we collect PII that isn’t strictly necessary for the process at hand

Minimum Necessary Policy

Why is Min Necessary Important? Demonstrates respect for privacy by

addressing one of the most common concerns, “excessive” collection of PII

Forces us to think about the purposes for the processing – and the purposes for each element of PII that we request

Helps ensure we keep our privacy promises by limiting the opportunity for mission creep

Minimum Necessary Policy

Limit Collection of PII Determine what elements of PII you really need for a

process - e.g., the PII you must collect

If you wish to collect addition elements of PII, you MAY do so if:

You have a specific purpose for the PII, related to legitimate Agency business

That purpose is described in the privacy notice, AND

You offer individuals choice, so they can decline to provide the PII

You may not require an individual to provide more than the minimum necessary PII

Minimum Necessary Policy

Limit Collection of PII - Example You run a state campground. To enable camping,

you must collect the person’s name and payment information

You may collect an emergency contact, in case something bad happens

You may collect an email address, in case you send happy camper email newsletters

You may collect demographic data or conduct surveys, in case you want to know more about your customers and what they’d like from your campground

You cannot require emergency contacts, email addresses or survey responses – but you may certainly ask

Your privacy notice must address all the elements

Minimum Necessary Policy

Limit Disclosure of PII

When disclosing PII to third parties (such as vendors or other agencies), only disclose those elements of PII that are needed by the third party

Extract the required elements of PII, and don’t share anything else

The Security Safeguards PolicyYou cannot respect privacy unless you secure the PII

The Security Safeguards Policy requires each Agency to have appropriate controls to protect PII

We protect the PII from (i) anticipated threats or hazards, and (ii) unauthorized access, use or disclosure

We protect ALL PII, with special attention on sensitive PII

We protect PII in all formats – paper or computerized

We collaborate with the Office of Technology (OT) on information security requirements

Security Safeguards Policy

Comply with OT Policies The most important requirement is that you

follow all the OT security rules

http://www.state.wv.us/ot/PDF/Document_center/SecurityPol0107.pdf

Take a few moments to review these rules and make sure you understand exactly how they apply to your daily activities

Ask questions if you aren’t sure!

Also review the Agency Acceptable Use Policy

Security Safeguards Policy

Security Incidents A “Security Incident” is any incident that

compromises the security, confidentiality, or integrity of PII (with or without SPII)

Unauthorized Disclosures of PII are always security incidents

Other examples:

Lost or stolen laptop or device (PDA, cell phone) Lost or stolen storage media (memory stick, CD-ROM) Lost or stolen paper records Lost or compromised password or access card Presence of viruses, spyware or other malicious code

of a computer or devices

Security Safeguards Policy

Security Incidents Even the very best organizations have security

incidents

Workers in the best organizations watch for incidents and report them immediately

This allows the Privacy Officer and security teams to manage the risks and limit damage

Your job is to report all incidents to your manager, the Privacy Officer or the Helpdesk as soon as you become aware of a problem!

The Accountability Policy Everyone is responsible for privacy and security

Everyone has access to lots of PII and SPII – about your co-workers, citizens we serve, our business partners

It is your job to understand how the Privacy Policies apply to the PII you have

It is your job to forward questions and complaints to your manager or the Privacy Officer

It is also your job to tell us about any mistakes that might compromise or expose PII

The Accountability Policy

What It Means For YouRead the Policies – be sure your understand

how they apply to your day-to-day activities

Ask questions – if you aren’t sure of something, ask you manager or the Privacy Officer

Don’t be afraid to say no – you have the power to question anything that doesn’t seem right!

Call the OT Helpdesk if you have any security questions

Report complaints, violations and mistakes IMMEDIATELY

The Accountability Policy

Names & Numbers to KnowOT Helpdesk

(304) 558-1257

Agency Privacy Officer

WVDCH

Heather Butler: (304) 558-0220

Education and the Arts

Tiffany Redman: (304) 558-2440

Questions & Comments