Frequently Asked Questions (FAQs)
When reporting a suspected or actual breach, should I include the names of the individuals involved?
How do you know if a breach has occurred?
What should you do when there is an actual or suspected breach/compromise of PII?
What is a Privacy Act Statement?
When do you need a Privacy Act Statement (PAS)?
Where can I find PII training?
What’s the big deal? Why should I protect Personally Identifiable Information (PII)?
What is a PIA and a SORN? Why do I need either?
What is considered a major incident?
What is a Breach?
For the purpose of safeguarding against and responding to the breach of personally identifiable information (PII) the term “breach” is used to include the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.
When reporting a suspected or actual breach, should I include the names of the individuals involved?
No. Do not include any personally identifiable information (PII) when reporting a breach.
How do you know if a breach has occurred?
A breach/compromise incident occurs when it is suspected or confirmed that PII data in electronic or physical form is lost, stolen, improperly disclosed, or otherwise available to individuals without a duty-related official need to know.
What should you do when there is an actual or suspected breach/compromise of PII?
What are Privacy Safeguards?
Privacy Safeguards are administrative, physical, or technical protective measures an organization takes to prevent authorized access to or disclosure of personally identifiable information (PII). Within the context of the Federal Government and Personally Identifiable Information (PII), safeguarding refers to protecting PII from loss, theft or misuse while simultaneously supporting the agency mission. Examples of safeguards:
- Administrative Safeguards: Training personnel on information handling best practices
- Physical Safeguards: Ensuring paper records and servers are secured and access in controlled.
- Technical Safeguards: Encrypting computers and emails, and requiring Common Access Cards for system access.
What is a Privacy Act Statement?
The Privacy Act of 1974, 5 USC 552a, provides protection to individuals by ensuring that personal information collected by Federal agencies is limited to that which is legally authorized and necessary and is maintained in a manner which precludes unwarranted intrusions upon individual privacy. Pursuant to 5 U.S.C. §552a (e)(3) agencies are required to provide what is commonly referred to as a Privacy Act Statement to all persons asked to provide personal information about themselves, which will go into a system of records (i.e., the information will be stored and retrieved using the individual’s name or other personal identifier such as a Social Security Number).
When do you need a Privacy Act Statement (PAS)?
You need a PAS when you request an individual to furnish personal information (name, date of birth, social security number, etc) for a system of records, regardless of the method used to collect the information (i.e., forms, personal or telephonic interview, etc).
Where can I find PII training?
PII training is available on Army Privacy Training web page.
What’s the big deal? Why should I protect Personally Identifiable Information (PII)?
We must protect the Personally Identifiable Information for both our employees and our customers. It has a direct and critically important impact on everyone’s lives. Today, we can electronically move vast quantities of information quickly. The rise of identity theft makes protecting this data imperative. As custodians of this information, we must protect it like we protect our own information. Finally, the Privacy Act of 1974, as amended, allows for personal remedies against individuals who knowingly misuse an individual’s personally identifiable information.
What is a PIA and a SORN? Why do I need either?
A PIA is a Privacy Impact Assessment. The E-Government Act of 2002 (Sec. 208 Privacy Provisions) requires agencies to “conduct a privacy impact assessment before developing or procuring information technology that has personal information in identifiable form.” All Army activities must complete a PIA for major applications and general support systems. For additional information contact the PIA team at cio-g6.pia.inbox@mail.mil.
A SORN is a System of Record Notice. The Privacy Act of 1974, amended requires any agency that maintains information about an individual in a “system of records” (a group or records … where information is retrieved by the name of an individual, or by some identifying number, symbol, or other identifying particular), to publish a notice in the Federal Register of the existence and character of that system of records. A SORN is only required if the information in a system of records is actually retrieved by a personal identifier.
A "Major Incident"
A "major incident" is any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.