Embed Size (px)
Citation preview
SCCE Higher Education Compliance Conference June 5‐8, 2016
1
Privacy 101, It’s More Than FERPA…
Sarah MorrowUNM HSC Chief Privacy Officer
June 5, 2016
All images courtesy of Google.com
Disclaimer
• I am not a lawyer and I don’t play one on TV so, this is NOT legal advice in any way, shape, or form. Participation in this session is voluntary and creates no form of agency between you, the sitter and listener and me, the presenter. In all areas of regulatory compliance; when in doubt, seek a lawyer out.
• Void where prohibited, use may produce unintended consequences, side affects may include: dizziness, headaches, nausea, eating while sleeping, sleeping while eating or other activities. Not valid out of this room or off world. The opinions contained herein are those of the presenter, me, not my employer, the University of New Mexico or of the host, Society for Corporate Compliance and Ethics.
Getting to Know You
Show of hands…• How many of you are Compliance Officers?• How many of you are Privacy Officers?• How many of you are NCAA Compliance Officers?• How many of your are Security/IT Security/Legal/Risk/Internal
Audit?• How many of you have a dedicated FTE Privacy Official? (Does s/he
know it?)• How many of you have a privacy office?
• Is it located in the right space, organizationally?• How many of you think you should have a privacy office? (I’ll ask
this again later)
All images courtesy of Google.com
SCCE Higher Education Compliance Conference June 5‐8, 2016
2
Privacy Basics - Definitions
• Privacy:
• Personally Identifiable Information (PII):
Definitions – continued
• Protected Health Information
• Security
Managing Expectations/AgendaKey Takeaways:
1. Thoughts on whether your institution needs a privacy office.
2. Reminders of where compliance obligations to privacy laws exist.
3. Suggestions on organizational locations for your
institution’s privacy office.
SCCE Higher Education Compliance Conference June 5‐8, 2016
3
To Office or Not To Office
1. Do you need a privacy office or privacy officer?
Department of Education Guidance
Department of Education (DOE)FERPA Guidance
2011 FERPA Updated2011 DOE selects a Chief Privacy Officer
SCCE Higher Education Compliance Conference June 5‐8, 2016
4
Regulatory Requirements
Health Insurance Portability and Accountability Act (HIPAA)
Designated HIPAA Privacy Officer (and Security Officer)
Red Flags Rule
EXECUTIVE ORDERESTABLISHMENT OF THE FEDERAL PRIVACY COUNCIL
• President Barak Obama:
“…it shall be the [US] policy . . . that agencies shall establish an interagency support structure that:
builds on existing interagency efforts to protect privacy
provides expertise & assistance to agencies;
expands the skill & career development opportunities of agency privacy professionals;
SCCE Higher Education Compliance Conference June 5‐8, 2016
5
EXECUTIVE ORDERESTABLISHMENT OF THE FEDERAL PRIVACY COUNCIL
improves the management of agency privacy programs by identifying and sharing lessons learned and best practices and
promotes collaboration between & among agency privacy professionals . . .”
Membership. The Chair of the Privacy Council shall be the Deputy Director for Management of the Office of Management and Budget. In addition to the Chair, the Privacy Council shall be composed of the Senior Agency Officials for Privacy at the following agencies:
(i) Department of State;(ii) Department of the Treasury;(iii) Department of Defense;(iv) Department of Justice;(v) Department of the Interior;(vi) Department of Agriculture;(vii) Department of Commerce;(viii) Department of Labor;(ix) Department of Health and Human Services;(x) Department of Homeland Security;(xi) Department of Housing and Urban Development;(xii) Department of Transportation;
(xiii) Department of Energy;(xiv) Department of Education;(xv) Department of Veterans Affairs;(xvi) Environmental Protection Agency;(xvii) Office of the Director of National Intelligence;(xviii) Small Business Administration;(xix) National Aeronautics and Space Administration;(xx) Agency for International Development;(xxi) General Services Administration;(xxii) National Science Foundation;(xxiii) Office of Personnel Management; and(xxiv) National Archives and Records Administration.
2. Regulatory Landscape
SCCE Higher Education Compliance Conference June 5‐8, 2016
6
Regulatory LandscapeFederal Education Records Privacy Act (FERPA)Financial Modernization Act of 1999; Gramm-Leach-Bliley Act (GLBA)Red FlagsHealth Insurance Portability and Accountability Act (HIPAA)
Colleges of MedicineStudent Health CentersCounseling/Psychiatric CentersHR/BenefitsCommunity OutreachResearch Compliance
IRBBusiness Associates
Employee Privacy/ Fair Credit Reporting Act (FCRA)Payment Card Industry (PCI)
School IDsBursarAthleticsHospitality
Electronic Communications Protection Act (ECPA)Freedom Of Information Act (FOIA)/Sunshine LawsEtc.
The Privacy Job
• Collaboration: The easiest path to success.• Consensus: 27-to-1 is a “Tie”• Supervision: The art of asking others to
do what you can’t while taking responsibility for what they do or don’t do.
• Monitoring: Ensuring continued respect for private information. Documenting your program.
SCCE Higher Education Compliance Conference June 5‐8, 2016
7
A Day in The Life of the CPO
• Calls:
• Investigations:
• Contracts/Business Associate Agreements:
• Questions:
• Email:
And Then There’s Technology…
SCCE Higher Education Compliance Conference June 5‐8, 2016
8
Laptops, Desktops and Servers
• What kind (classification) of data resides on the machine(s)• Data elements
• What rules apply to the information• Which regulations• What technical obligations
• Standards• NIST• ISO• FIPPs
A night in the life of a CPO
Really?Yes, Really. This can be a compliance opportunity or nightmare.
Partnering for Success = Collaboration.Office of University or General CounselInformation Technology SecurityPhysical SecurityFinance/ Office of Corporate Controller
Corporate TravelP-cardsPCI –DSS
Human ResourcesBenefitsPayroll
Risk Management/Insurance/ContractsPurchasing
SCCE Higher Education Compliance Conference June 5‐8, 2016
9
Security
So, where to put the privacy office…
Organization Challenges•Where does the privacy function reside in your organization?
Where the Privacy Office could be located•Office of General or University Counsel•Compliance•Risk Management•Chief Information Security Officer’s Office•Chief Information Officer’s Office•Stand alone office
•Conflicts of Interest•IT Security (CISO)•Office of the CIO•Internal Audit
SCCE Higher Education Compliance Conference June 5‐8, 2016
10
You’ve decided yes, now what?
• Use resources to help locate a trained professional to establish your office.
• Decide where the office will be located, organizationally.
• Provide adequate executive support, funding and STAFFING.
What A CPO Can Provide
• Mission and Vision Statements• Privacy Impact Assessments• Institutional Guidance• Privacy Breach Notification Guidance• Privacy Policies, Procedures, Standards, and Guidelines• Institutional Regulatory Compliance• Privacy Risk Management
• Now, how many of you think you should have a privacy office?
All images courtesy of Google.com
SCCE Higher Education Compliance Conference June 5‐8, 2016
11
Thank you for your time and attention.
SarahSarah Morrow CIPP, GISP, MBA-ISMChief Privacy OfficerUniversity of New MexicoHealth Science [email protected]
