(U) PRIV1001: Annual Privacy Awareness Training

(U) Glossary | (U) Resources

(U) Module 2: Supervisor Responsibilities for Privacy

 

(U) Module Introduction

(U) Safeguarding privacy is the role of every Agency staff member, but you have additional responsibilities if you’re a supervisor.

(U) Module Scenario

(U) As a supervisor, you’re likely to maintain a Recall Roster for your office or occasionally request information from your personnel. Are you adequately protecting your staff’s privacy? Are you ensuring that your staff is doing what’s needed to safeguard PII and personal information?

(U) Module Objectives

(U) Upon completion of this module, you’ll be able to:

• Identify the supervisor’s role and responsibilities for safeguarding privacy
• Recall how to properly maintain supervisor personnel files and Recall Rosters
• Identify NSA’s breach reporting process
• Identify the types of privacy reviews
• Describe the process for conducting privacy reviews and privacy impact assessments

(U) The Supervisor’s Privacy Responsibilities

(U) Employ best practices to:

• Collect only what you need
• Use corporate databases when available
• Avoid creating collections for sake of convenience

(U) Ensure that your staff:

• Takes annual mandatory training
• Understands and complies with privacy rules/practices
• Knows how to report a PII breach

(U) Prevent inadvertent disclosure of PII by:

• Knowing what PII your office collects, maintains, and uses
• Putting administrative, physical, and technical safeguards in place
• Ensuring your staff follow established procedures

(U) Ensure that contracts include:

• The Federal Acquisition Regulation (FAR) privacy clauses (FAR 52.224-1 & 52.224-2)
• Data disposal details at end of the record’s lifecycle

(U) Reporting PII Breaches

(U) It’s the responsibility of all Agency staff members to report any PII incidents immediately upon discovery. What happens after a breach is reported?

1. The Security Health Officer (SHO) sends an incident report to the Inspector General (IG) and the Privacy Advocate
2. Then the IG coordinates with the Privacy Advocate to determine if the incident meets the OMB and DoD requirements for PII breach reporting
3. Within 1 hour of discovery, the SHO must report the breach to the Department of Homeland Security (DHS) U.S. Computer Emergency Readiness Team (US-CERT), if the Privacy Advocate determines it meets the reporting criteria
4. Within 24 hours, the Privacy Advocate completes a risk assessment to determine if notification of affected parties is required
5. Within 48 hours, the Privacy Advocate must send a breach report to DoD’s Defense Privacy and Civil Liberties Office

(U) Depending on the breach’s severity and nature, these steps may be needed:

• (U) Notifications to the individuals affected by the breach, if there’s a likelihood that the breach may lead to harm:
• Need for notification determined by the Civil Liberties and Privacy Office
• It must be sent within 10 working days after the breach
• It must provide the specific data involved, circumstances surrounding the breach, and protective actions taken by NSA/CSS or the individual to mitigate
• If a notification is required but doesn’t occur within 10 days, the Deputy Secretary of Defense must be notified of the reason
• (U) Congressional reporting

(U) Your Role as a Supervisor When a Breach is Reported

• Be prepared to provide details of the incident
• Work with the Privacy Advocate to determine if a PII breach actually occurred, and what follow-on actions are necessary
• Review administrative, physical, and technical safeguards with your staff to reduce the chance of recurrence

(U) Knowledge Check Introduction

(U) It's time to see what you've learned so far. If you're unclear on any of the topics, you might want to review it before starting the knowledge check.

Question #1

(U) As a supervisor, my responsibilities to protect PII include which of the following? Select all that apply.

1. Being aware of what my office collects, how it's used, and who it's shared with, and following the established safeguards
2. Only collecting PII if a SORN is in place that allows me to do so, in accordance with NSA/CSS policies
3. Collecting and using SSNs with all personal data to ensure association to the correct individual
4. Ensuring data is only used as outlined in the SORN and PAS
5. Sharing personnel data with all staff within my office
6. Ensuring my staff takes their annual privacy training

(U) Feedback: The correct answers are A, B, D, and F. Supervisors should eliminate the use of SSNs when possible, and access to PII should be limited to those who perform specific assigned duties.

Question #2

(U) A member of your staff comes to you to report a breach of PII. What is the first step your office should take? Select one.

1. Submit an incident report to the NSA/CSS Information System Incident Response Team (NISIRT).
2. Contact the Inspector General’s Office.
3. Complete a risk assessment to determine if notification of affected parties is required.

(U) Feedback: The correct answer is A. Your first step is to report any incident of lost, stolen, or compromised PII to the NISIRT immediately upon discovery.

(U) Handling Personnel Materials

(U) As a supervisor, you likely make notes and maintain various types of files on your staff. You may keep these simply as memory joggers, or you may use them as reference for official actions. Are you handling these properly to protect your staff's privacy, in accordance with the Privacy Act?

(U) Supervisor Files & Notes

(U) The proper maintenance of personnel files and notes depends on whether the records are official or unofficial. You can determine this distinction by the type of information and how it’s used. Regardless, be careful not to commingle PII about different staff members within the same file.

(U) Unofficial Records

(U) If you keep information only as a memory jogger, meaning you won't share it and it won't be used in support of an official action, it's unofficial. Unofficial records aren't subject to access by the staff member.

(U) Official Records

(U) If you share your notes or use them in an official action, they become an official record. As with all official records:

• They must be maintained according to the proper records disposition schedule
• Staff members can request access to them
• Staff members can request amendments to correct factual information by contacting the Information Management Office

(U) Recall Rosters

(U) A specific type of personnel record used at the Agency is the Recall Roster. All employees and military personnel must provide contact information for emergency recall. You must provide a PAS to personnel prior to collecting the information. Type “go clpo” and visit the Privacy Advocate’s Corner for information on recall rosters.

(U) Be sure to follow these guidelines when creating your Recall Roster:

• Include limited information: first name, last initial, and home or cell phone
• Mark your roster PRIVACY SENSITIVE - Any misuse or unauthorized disclosure may result in disciplinary action
• Provide only to those who have an official need-to-know
• Use only for the purpose of emergency recall
• Dispose of in an Agency burn bag
• Post only to an internal website where access is restricted to those with a need-to-know

(U) What if your staff member objects to having their phone number on the roster? You can arrange to call that member yourself during alerts or exercises, and maintain their contact information separately from the Recall Roster.

(U) Privacy Reviews

(U) You should be aware of the types of Privacy Reviews conducted by the Agency for Office of Management & Budget (OMB) reporting. These include:

• Biennial review of NSA/CSS Privacy Act Systems of Records to ensure the Agency is legally compliant with the Privacy Act
• Annual review of PII holdings to ensure Agency records are accurate, relevant, timely, and complete, and to reduce the use of SSNs and PII in Agency records
• Biennial computer matching for determining eligibility for federal programs (e.g., student loans and federal personnel, or payroll systems matched with state and local government agencies)

(U) Privacy Requirements for IT Systems

(U) If your organization is planning to purchase, develop, or modify a non-national security IT system that will contain PII, you must ensure that a Privacy Impact Assessment (PIA) is conducted in compliance with Section 208 of the E-Government Act:

• “Non-national security IT systems” means systems that maintain information about visitors and employees
• PIAs examine the risks and vulnerabilities of collecting, maintaining, and disseminating PII in non-national security IT systems, and outline how these vulnerabilities are mitigated; system owners and developers work together to complete PIAs
• PIAs must also be conducted on systems containing PII during recertification if they don’t have an existing PIA
• For more information on the PIA process and to get the PIA template, type go PIA in your browser

(U) Knowledge Check Introduction

(U) It's time to see what you've learned so far. If you're unclear on any of the topics, you might want to review it before starting the knowledge check.

Question #1

(U) When working with Recall Rosters, I must do which of the following? Select all that apply.

1. Adhere to NSA/CSS guidelines as published on the CLPO website
2. Use them only for the purpose of emergency recall
3. Properly mark them with the NSA privacy banner
4. Share them with everyone in the office
5. Provide staff members with a PAS

(U) Feedback: The correct answers are A, B, C, and E. You may only provide Recall Rosters to those who have an official need-to-know.

Question #2

(U) Which of the following statements is true regarding files that contain PII? Select all that apply.

1. You should maintain information for all of your staff in a single file
2. All personnel files maintained by a supervisor are considered official records
3. The Information Management Office processes requests to amend Privacy Act records
4. Staff members can request access to official personnel files maintained on them, and request amendments to correct factual information

(U) Feedback: The correct answers are C and D. If you maintain files on your staff, you must not commingle PII of different staff members within the same file, and staff information kept by a supervisor isn't an official record until it's shared or used in support of an official action.

Question #3

(U) As a supervisor, you're responsible for ensuring a PIA is performed when your organization creates a non-national security IT system, or when initiating an electronic collection that collects, uses, or maintains PII.

1. True
2. False

(U) Feedback: The correct answer is A, True. You must ensure a PIA is performed whenever purchasing, developing, or modifying a non-national security IT system that will handle PII.

(U) Think Privacy!

(U) The dedication of all Agency staff towards protecting privacy is paramount to a successful privacy program at NSA/CSS. As a supervisor, it’s particularly important that you keep privacy at the forefront when you:

• Initiate new collections of PII
• Add new elements to an existing, approved database
• Create or revise forms that collect PII
• Design and distribute surveys
• Ensure contracts include the FAR privacy clauses (52.224-1 and 52.224-2), and that contractor staff understands privacy and complies with privacy rules and policies

(U) For any privacy questions or concerns, contact the NSA/CSS Privacy Advocate via email to DL Privacy_Advocate. Please direct any mission-related privacy questions to DL D5_All.

(U) Module Summary

(U) Now that you’ve completed this module, you should be able to:

• Identify the supervisor’s role and responsibilities for privacy
• Recall how to properly maintain supervisor personnel files and Recall Rosters
• Identify NSA’s breach reporting process
• Identify the types of privacy reviews
• Describe the process for conducting privacy reviews and PIAs

(U) Congratulations!

(U) You’ve completed Module 2 of the annual Privacy Act Course. Exit this window and follow the directions to start the Final Assessment. Select the Supervisor version of the assessment when prompted.