|
Size: 3695
Comment:
|
Size: 1282
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 29: | Line 29: |
| '''E-Government Act of 2002''', as amended by the '''Federal Information Security Modernization Act of 2014''' ('''FISMA'''), identifies security controls on the use of PII. OMB has produced guides and memoranda to further specify the requirements of these acts. === Privacy Impact Assessment === Before records systems can be developed or purchased by a federal agency, they must undergo a '''Privacy Impact Assessment''' ('''PIA'''). This assessment weights the benefits of the system against the risks of PII misuse or leaks. It also assesses the quality and legal compliance of security controls used in and around the system. If an established records system that has not undergone a PIA will be ''newly'' used to store PII, it is now required to undergo a PIA. Similarly, the digitization of a records system that has not undergone a PIA is required to undergo a PIA. Exceptions are made for national security systems and paper records systems. === System of Records Notice === If a records system is approved by the PIA, the agency must publish a '''System of Records Notices''' ('''SORN''') informing the public on: 1. the type of PII that will be collected and stored 2. the agency's legal authority to collect this PII 3. the security controls used in and around the records system 4. how individuals can determine if their PII is stored in the records system 5. how individuals can obtain a copy of their PII from the records system SORNs are published in the Federal Register, and the publication must be completed before any collection may begin. === Disclosures === PII stored in a records system can only be disclosed if (1) the corresponding individual submits a written request to disclose, or (2) has given prior written consent to disclose. Aside from this, there are 12 categories of ''' permitted disclosures'''. 1. Disclosure to staff who have a need to know the PII 2. Disclosure as required by the Freedom of Information Act (FOIA) 3. Routine use of the records as established in the SORN 4. Disclosure to the Census Bureau for the purpose of conducting a census or survey 5. Disclosure for statistical analysis or reporting without individual data 6. Disclosure to the National Archives and Records Administration (NARA) 7. Disclosure to a law enforcement agency for the purpose of a civil or criminal investigation 8. Disclosure for compelling or emergency circumstances affecting an individual's health or safety 9. Disclosure to Congress 10. Disclosure to the Government Accountability Office (GAO) and Comptroller General 11. Disclosure persuant to court order 12. Disclosure to a consumer reporting agency |
The [[UnitedStates/InformationLaw/FederalInformationSecurityManagementAct|Federal Information Security Management Act]] (FISMA) identifies security controls on the use of PII. The Office of Management and Budget (OMB) has produced guides and memoranda to further specify the requirements of these acts. |
Personally Identifiable Information
Contents
Definition
Any information that can be used to distringuish or trace an identity, whether alone or when used in connection with other information.
PHI is a subclass of PII with additional requirements and considerations.
Privacy Act
The Privacy Act of 1974 established requirements for the federal government's use of PII. Agencies can and have been held legally and financially liable for leads of PII.
FISMA
The Federal Information Security Management Act (FISMA) identifies security controls on the use of PII. The Office of Management and Budget (OMB) has produced guides and memoranda to further specify the requirements of these acts.
Department of Defense Privacy Program
DoD 5400.11-R defines the Privacy Program which controls the use of PII within the U.S. Department of Defense.
Freedom of Information Act
The Freedom of Information Act defines PII-based restrictions on freedom of information requests.