Embed Size (px)
Citation preview
Privacy Reporting and Investment Certification
TRICARE Management ActivityHEALTH AFFAIRS
2009 Data Protection Seminar
TMA Privacy Office
Privacy Reporting and Investment Certification
TRICARE Management ActivityHEALTH AFFAIRS
TRICARE Management ActivityHEALTH AFFAIRS
3
Privacy Reporting and Investment Certification
Purpose
The purpose of this presentation is to provide an overview of how privacy reporting and investment certification are an important aspect on our road to compliance
TRICARE Management ActivityHEALTH AFFAIRS
4
Privacy Reporting and Investment Certification
Objectives Upon completion of this course, you should be able to:
− Identify privacy reporting requirements and what role the Federal Information Security Management Act (FISMA) has in consolidating these reporting requirements
− Identify the role of privacy in the Military Health System (MHS) Defense Business Transformation (DBT) Investment Certification process
− Describe the importance of the Defense Health Program System Inventory Reporting Tool (DHP-SIRT) in collecting important privacy information for reporting purposes
TRICARE Management ActivityHEALTH AFFAIRS
5
Privacy Reporting
TRICARE Management ActivityHEALTH AFFAIRS
6
Privacy Reporting and Investment Certification
Types of Privacy Reporting
SSN Reductio
n
DoD Quarterly Privacy
Training
Privacy Act R
eviewPublic Law 110-53
FISMA
TRICARE Management ActivityHEALTH AFFAIRS
7
Privacy Reporting and Investment Certification
Privacy Act Review Agency Responsibilities
− Required by agencies subject to the Privacy Act of 1974
− OMB A-130 provides specific guidelines What types of review must be completed?
− Section (M) contracts
− Records practices
− Routine Uses/System of Records/Exemptions
− Matching programs
− Training
− Violations
− (e)(3) Statements
TRICARE Management ActivityHEALTH AFFAIRS
8
Privacy Reporting and Investment Certification
SSN Reduction What brought about Social Security Number (SSN)
reduction?
− Task Force on Identity Theft Strategic Plan
− Office of Management and Budget (OMB)
How is SSN reduction being addressed for privacy reporting purposes?
− What role does the TMA Privacy Officer have? Provide consultation related to review of SSN usage on forms and
surveys
Verify program managers are reporting SSN usage for TMA systems
TRICARE Management ActivityHEALTH AFFAIRS
9
Privacy Reporting and Investment Certification
Public Law 110-53 What is Public Law 110-53?
− Implementing recommendations of the 9/11 Commission Act of 2007
− Title VIII contains sections on privacy and civil liberties Contains four sections
Section 803 speaks specifically to the quarterly privacy reporting
What privacy information is being collected?
− Privacy reviews
− Advice and responses
− Privacy complaints and dispositions
TRICARE Management ActivityHEALTH AFFAIRS
10
Privacy Reporting and Investment Certification
DoD Quarterly Privacy Training How is DoD Privacy Training being reported?
− Requirement of OMB to ensure privacy training
− Requirement from the Defense Privacy Office to report quarterly via FISMA
What training elements are being reported?
− Orientation training
− Specialized training
− Management training
− Annual Refresher training
TRICARE Management ActivityHEALTH AFFAIRS
11
Privacy Reporting and Investment Certification
FISMA What is FISMA?
− Report required by the E-Government Act of 2002
− Report on the security and privacy of sensitive information in federal computer systems
How often are we reporting for FISMA purposes?
− Quarterly
− Annually
TRICARE Management ActivityHEALTH AFFAIRS
12
Privacy Reporting and Investment Certification
FISMA – Quarterly Reporting Why is quarterly reporting different than annual reporting?
− Provides a pulse check on both security and privacy of systems
− Quarterly report is not as comprehensive as annual report
What exactly is being reported in the quarterly FISMA report?
− Privacy Impact Assessment (PIA) and System of Records Notice (SORN) information
− Inventory of systems
− Certification & accreditation information
TRICARE Management ActivityHEALTH AFFAIRS
13
Privacy Reporting and Investment Certification
FISMA – Annual Reporting How does FISMA bring all these privacy reporting
requirements together?
FISMA
SSN Reduction Public Law 110-53
DoD Quarterly Privacy Training
Privacy Act Review
TRICARE Management ActivityHEALTH AFFAIRS
14
Investment Certification
TRICARE Management ActivityHEALTH AFFAIRS
15
Privacy Reporting and Investment Certification
Investment Certification What is investment certification?
− Method to ensure appropriate due diligence has been applied to MHS programs/systems which receive funding
− Allows MHS key stakeholders to address system concerns
How did TMA Privacy Office get involved?
− MHS DBT met with TMA Privacy Office
− Privacy framework was developed
− TMA Privacy Office designated as privacy subject matter expert for investment certification review
TRICARE Management ActivityHEALTH AFFAIRS
16
Privacy Reporting and Investment Certification
Investment Certification (continued)
What documents are reviewed by the TMA Privacy Office?
− Privacy Investment Framework
− PII/PIA/FISMA checklist
− Investment Concept of Operations
MHS DBT Investment Package
Completion
MHS Investment
Review Committee
Meeting
Packages Sent to Additional Investment
Review Boards
Discussion of Unresolved
Issues
Investment Review Process
TRICARE Management ActivityHEALTH AFFAIRS
17
Privacy Reporting and Investment Certification
Investment Certification (continued)
How has the Privacy Office/DBT relationship been beneficial?
− Organizational privacy awareness
− Proactive approach by various
program offices
− Addressing privacy earlier in the
system development life cycle
TRICARE Management ActivityHEALTH AFFAIRS
18
DHP-SIRT
TRICARE Management ActivityHEALTH AFFAIRS
19
Privacy Reporting and Investment Certification
DHP-SIRT What is DHP-SIRT?
− Assistant Secretary of Defense for Health Affairs (ASD/HA)/TMA System Repository
Driven by development of Defense Information Technology Portfolio Repository
Contains different system information to include privacy data
DHP-SIRT helps facilitate collection of privacy information for privacy reporting− Collects certain data privacy elements for reporting purposes
PIA information SORN information SSN information
TRICARE Management ActivityHEALTH AFFAIRS
20
Privacy Reporting and Investment Certification
Summary You should now be able to:
− Identify privacy reporting requirements and what role FISMA has in consolidating these reporting requirements
− Understand the role of privacy in the MHS DBT Investment Certification process
− Understand the importance of the DHP-SIRT in collecting important privacy information for reporting purposes
TRICARE Management ActivityHEALTH AFFAIRS
21
Privacy Reporting and Investment Certification
Resources Public Law 107- 347 Section 208, “E-Government Act of 2002”, 17
December 2002
Public Law 107-347, Title III, “Federal Information Security Management Act”, 17 December 2002
Public Law 110-53, “Implementing Recommendations of the 9/11 Commission Act of 2007”, 3 August 2007
“Federal Agency Data Mining Reporting Act of 2007”, 4 June 2007
DoDI 5400.16, “DoD Privacy Impact Assessment (PIA) Guidance”, 12 February 2009
DTM 07-15-USD(P&R) – “DoD Social Security Number (SSN) Reduction Plan”, 28 March 2008
