Knowledge Management Block 2

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

DPCLO

Defense Privacy and Civil Liberties Office

Compliance

Department of Defense (DoD) personnel are expected to comply with the FOIA, Instructions and FOIA policy in both letter and spirit. This strict adherence is necessary to provide uniformity in the implementation of DoD FOIA Program and create conditions that will promote public trust.

Information designated as FOUO may be disseminated within

DoD Components and between official DoD offices to conduct official business provided dissemination is consistent with controls imposed by a distribution statement.

Avoidance of Procedural Obstacles

DoD components shall ensure that procedural matters do not unnecessarily impede a requester from obtaining DoD records promptly. Components shall provide assistance to requesters to help them understand and comply with procedures established by DoD/Air Force policy.

ERR

Electronic Reading Room

EITDR

Enterprise Information Technology Data Repository

Information maintained in Information Technology (IT) systems is stored in the ___________________________________.

Enterprise Information Technology Data Repository (EITDR)

FR

Federal Register

CONSTITUTIONAL AND AMENDMENT RIGHTS

First Amendment - Freedom of Religion; Freedom of Speech or Press, Right to Assemble and to Petition the Government for redress of grievances. Second Amendment - Right to Keep and Bear Arms. Fourth Amendment - Right Against Unreasonable Searches and Seizures. Fifth Amendment - Prohibition Against Deprivation of Life, Liberties, or Property, without due process to law. Fourteenth Amendment - Due Process and Equal Protection. Fifteenth, Nineteenth and Twenty Sixth Amendments: Right to Vote

FOUO

For Official Use Only

FOIA

Freedom of Information Act

DoD 5400.7-R_AFMAN 33-302

Freedom of Information Act Program, includes statute 5 U.S.C. § 552

PAS Purpose

Identifies the principal purpose or purposes for which the information is intended to be used.

PAS Disclosure

Identifies whether disclosure of information is voluntary or mandatory. (Mandatory is used when disclosure is required by law and the individual will be penalized for not providing information. All mandatory disclosure requirements must first be reviewed by the servicing legal office). Include any consequences of nondisclosure in non-threatening language.

Sensitive PII

If lost, compromised, or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual when grouped with a name or unique identifier.

Non-Sensitive PII

If lost, compromised, or disclosed without authorization, Non-sensitive PII would NOT result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.

MAJCOM/A6s and Wing Commanders Civil Liberties responsibilities

Implement the AF Civil Liberties program for personnel under their command/supervision. Appoint a Civil Liberties Point of Contact (POC) for their organization with commensurate duties and responsibilities. This individual is normally the Privacy Manager.

PAS AF SORN(s)

Lists applicable SORN by number and title

PAS Authority

Lists the legal authority that authorizes the solicitation of the personal information.

PAS Routine Uses

Lists who the personal information will be shared with on a routine basis outside the DoD.

Review end of year report

Mandated by law and reported on a fiscal year basis to the Directorate for Freedom of Information and Security Review office.

Step 2 - Determine Sufficiency of Request

Before disclosing any records, including whether records exist, the privacy manager should review the sufficiency of the request. The manager must seek clarification from the requester if the information supplied to locate and identify the records is insufficient. Misdirected requests must be forwarded to the appropriate location with a copy of the referral to the requestor.

Individuals can be granted access to FOUO information

When a valid need in connection with the accomplishment of a lawful and authorized Government purpose has been determined. Granted by the individual who has authorized possession, knowledge, or control of the information and not on the prospective recipient.

United States Postal Service

When transmitting via USPS, FOUO information is sent using first class, parcel post or fourth class.

Privacy Act Statement (PAS)

Personal information is maintained in a SOR or collected on an official AF Form.

PII

Personally Identifiable Information

What is Privacy Act Information?

Personally Identifiable Information (PII) which is personal information that is maintained in a System of Record (SOR). all agencies are required to give public notice of their SOR by publication in the Federal Register.

PA

Privacy Act

Warning Banner

Privacy Act Notices and Markings that are made available to individuals when their personal information is requested.

PA OPR

Privacy Act Office of Primary Responsibility

What is designated at each organization level to manage and implement the Air Force Privacy Act Program?

Privacy Act Office of Primary Responsibility (PA OPR)

PAS

Privacy Act Statement

PIA

Privacy Impact Assessments

Step 3 - Respond to the Requester

Privacy Managers must acknowledge requests for PA records within 10 days (excluding weekends and federal holidays) of receipt. Managers should date stamp the request upon receipt. If requested records are not immediately available, the manager must give the requester a date of availability. If records cannot be found or have been destroyed, the custodian must inform the requester.

Step 5 - Record Disclosures

Privacy managers must keep an accurate record of all disclosures made from any SOR except disclosures to DoD personnel for a valid official use. Use AF Form 771, Accounting of Disclosures. Retain disclosure accountings for 5 years after the disclosure, or for the life of the record, whichever is longer.

Findings that led to the citing of Public Law 93-579 were:

Privacy of an individual was directly affected by the collection, maintenance, use, and dissemination of personal information by Federal agencies. The increasing use of computers and technology to perform essential operations magnified the harm to individual privacy. Opportunities to secure credit, employment, insurance, and other legal protections are endangered by the misuse of certain information systems.

What public law became the Privacy Act of 1974?

Public Law 93-579

Protection During Work Hours

Reasonable steps shall be taken to minimize risk of access by unauthorized personnel. FOUO information should be covered and placed out of sight. If available, use a privacy screen for monitors when working on electronic FOUO information.

RDS

Records Disposition Schedule

Base Records Managers are consulted prior to the deletion of any records to ensure records are authorized for destruction according to the ____________________.

Records Disposition Schedule (RDS)

RSC

Requester Service Center

US-CERT

United States Computer Emergency Readiness Team

Methods of Transmission

United States Postal Service (USPS), hand carry, or electronic transmission.

Labeling the removable device

Use the Standard Form (SF) 706 - Top Secret, 707 - Secret, 708 - Confidential, or 710 - Unclassified. Identifies the highest classification level of the information stored on the device.

PIA Content

What information is to be collected Why the information is being collected Intended use of the information Who the information will be shared with What opportunities individuals have to decline to provide information or to consent to particular uses of the information and how individuals can grant consent How the information will be secured

Openness with the Public

The DoD shall conduct its activities in an open manner consistent with the need for security and adherence to other requirements of law and regulation. Records not exempt from disclosure under the FOIA shall, upon request, be made readily accessible to the public in accordance with rules of the FOIA Program.

Hardware/removable media used to store FOUO information

must be labeled to notify users. Protection is applied to hardware/removable media by physically placing a label on the device.

OMB 10-22 PII Definition

not anchored to any single category of information or technology. It demands a case-by-case assessment of the specific risk that an individual can be identified. In this evaluation, agencies must understand that non-PII can become PII whenever additional information is made publicly available when combined with other available information.

United States Computer Emergency Readiness Team (US-CERT)

part of the Department of Homeland Security's National Cybersecurity and Communications Integration Center. This team leads efforts to improve the Nations' cybersecurity posture, coordinate cyber information sharing, and proactively manager cyber risks to the Nation.

DoD policy

protect the privacy and civil liberties of its employees, members of the military services, and the public to the greatest extent possible, consistent with its operational requirements.

Public Law 93-579

provide safeguards for the protection of individual information such as an individual's name, address, and Social Security Number.

Privacy Act Program Objectives

restrict disclosure increased rights of access to agency records amendment of agency records establish basic requirements

What are the four objectives of the Privacy Act?

restrict disclosure increased rights of access to agency records amendment of agency records establish basic requirements

Civil liberties

revolve around the right to be free from unequal treatment based on protected characteristics (ex: race, gender, disability).

Electronic Transmission

shall be by approved, secure communications systems or systems utilizing access controls such as Public Key Infrastructure (PKI)

two types of FOIA requests

simple and complex

OMB 10-22

states that "PII is not anchored to any single category of information or technology" and "demands a case-by-case assessment of the specific risk that an individual can be identified."

Disclosure

the act of releasing all relevant information that may influence a decision.

What must individuals receive when required to provide personal information that will not be maintained in a SOR?

they must receive a Privacy Act Statement (PAS) from the collector of the information.

FOUO dissemination control was established

to ensure routine official unclassified information is protected according to its sensitivity level. This standardization facilitates control, distribution, and release of such documents to prevent unauthorized disclosure.

Why was FOIA established?

to inform the general public of government activities. provides the public with the maximum amount of accurate and timely information concerning its activities.

Purpose of PA

to protect individuals from unwarranted invasion of their privacy.

What is the sole purpose of PA programs?

to protect individuals from unwarranted invasion of their privacy.

AFI 33-332, Air Force Privacy and Civil Liberties Program

transmitting personal information via e-mail, "FOUO\\" is added to the beginning of the subject line followed by the Privacy Act Statement at the beginning of the body of the message. If an attachment containing personal information is included, the e-mail must be digitally signed and encrypted. Note: This is also a requirement for PA and PII therefore you will see this throughout the text.

Hand Carry

use cover sheets with clear classification or protective markings.

PII Transmission

via e-mail, United States Postal Service (USPS), or hand carried

FOIA requests for records are submitted in

writing via hand-delivery, mail, fax, or online at www.efoia.af.mil to the applicable Requester Service Center (RSC)

Who are PII breaches reported to?

installation Privacy Official

Enterprise Information Technology Data Repository (EITDR)

is an AF system of record for Information Technology Compliance management data

The Privacy Act requires that each federal agency ______________

maintain a Privacy Act Program

The DoD shall conduct its activities in an open manner consistent with the need for security and adherence to other requirements of __________________________.

law and regulation

Office of Management Budget (OMB)

07-16, Safeguarding Against and Responding to PII Breach and OMB10-22, Online Use of Web Measurement and Customization.

Requests are processed within

20 working days unless a request for expeditious processing is approved.The 20 working day processing time begins the day the request is first received by the RSC.

Unit Privacy Monitor

Acts as the liaison between the unit and the Base Privacy Manager. They must provide direction and training to their commander and unit personnel. Unit Privacy Monitors will assist Commanders (equivalent) with implementing procedures to reinforce the protection of Privacy Act information

Civil Liberties Point of Contact (POC)

Administering direction and procedures prescribed in AFI 33-332 within their organization. Ensuring training is available for their organizations. POCs will promote civil liberties awareness throughout their organizations. Direct complaints that may have civil liberties implications to the appropriate investigative office, such as the Inspector General (IG), Equal Opportunity (EO), or the appropriate commanding officer for commander directed investigations.

Initial Denial Authority (IDA)

After the OPR and Legal Office concur on the request denial, all contents are forwarded to them. The ____________ is an official who has been granted authority to withhold records requested under the FOIA for one or more of the nine exemptions. Typically, Commanders and Vice Commanders are appointed; however, they may delegate authority within their organization.

Protection After Work Hours

After working hours, store FOUO information in unlocked containers, desks or cabinets if Government or Government-contract building security is provided. If building security is not provided, store the information in locked desks, file cabinets, bookcases, locked rooms, etc.

List the requirements for using e-mail to transmit PII.

All e-mails containing PA, PII or other sensitive information must be encrypted prior to sending. Alternate means to transmit sensitive information when e-mail is not possible include using the Safe Access File Exchange (SAFE).

FOIA Request for Records

Any person (excluding fugitives and Federal Agencies) can submit a FOIA request for records. The request for records must state a willingness to pay any/all fees, and must have a valid postal mailing address. Requests are submitted in writing and fees are collected after the request is processed.

PIA Review

At a minimum PIAs must be reviewed annually by the Information System Owner (ISO) and Privacy Manager. Also, PIAs are required to be performed, approved and/or updated when a system change exposes a new privacy risk for which an Information Assurance control must be identified and tested. The PIA must be performed before re-deployment or re-release of the system.

Privacy Act Statement (PAS) includes:

Authority Purpose Routine Uses Disclosure AF SORN(s)

Authorized Disclosure

Authorized disclosure is granted from the owner of the information to those with a need to know.

ACTS

Automated Case Tracking System

Step 1 - Verify Identity of the Requester

Avoid an unauthorized disclosure. Verification can be accomplished visually, by having personal knowledge of the requester, by signed letter, notarized statement, or unsworn statement.

Simple

Can be processed quickly with limited impact on responding units. Clearly identifies the records with no (few) complicating factors involved. Only one installation is involved and there is no outside Office of Primary Responsibility (OPR).

Under the FOIA, _________________ have the right to request records in writing from the Federal Government.

Citizens

Responsibilities

Commanders at each level maintain authority of the FOIA Program and will appoint a FOIA Manager at each level in writing. 3D0X1 Knowledge Managers may be appointed as FOIA Managers or be assigned to assist base FOIA Managers.

The three objectives of the FOIA

Compliance, Openness with the Public, and Avoidance of Obstacles

Who may request a copy of their records maintained in a SOR?

Individuals or their designated representatives may request a copy of their records maintained in a SOR. Requesters need not state why they want access to their records.

Compilation Effect

Information that is not otherwise attributed to one individual can become PII if it is associated with an identifier or other information which relates the information to a specific individual.

OMB 07-16 PII Definition

Information which can be used to distinguish or trace an individual's identity. This information includes but is not limited to their name, social security number, biometric records alone or when combined with other personal, or identifying information which is linked to a specific individual such as date and place of birth or mother's maiden name.

Privacy Act Mandates

Informs individuals of why information is being collected and how it is going to be used. Assures information is accurate, relevant, complete, and up-to-date before disclosing to others. Allows you to find out about disclosures of your records to other agencies or persons. Provides you with the opportunity to correct inaccuracies in your records.

IDA

Initial Denial Authority

IG

Inspector General

FOIA Manager

Installation Commanders appoints, in writing to comply with FOIA requirements. They receive, track, and coordinate all FOIA request for their base using eFOIA software. Required to review all requested records and assist with redaction in consultation with the responsible office of primary responsibility (OPR). Ensures their program complies with FOIA

Office of Primary Responsibility (OPR)

Is the organization that prepared or is responsible for the records requested in the FOIA request for records. Provide requested records and indicate withheld parts of records annotated with FOIA exemptions. Provide written recommendations to the disclosure authority to determine whether or not to release records, and act as the declassification authority when appropriate.

FOIA Monitor

Is the point of contact within an OPR. Once the OPR receives the request, the they are tasked to locate the records. Upon review, they will assist OPRs in reviewing all requested records to determine whether records are responsive to the request. If portions of the information are not releasable, they will assist with redactions. Finally, they will ensure a thorough search for records has been conducted by the OPR and ensures the OPR completes the no records certification when records are not located in response to the request.

Air Force Privacy Officer

Member of the HQ USAF (HAF) Air Staff and resides at the Pentagon. Administering guidance and procedures prescribed in AFI 33-332 and DoD policies. Developing AF policy to ensure protection of PA, PII, and Civil Liberties. Providing guidance and assistance to Privacy Managers.

Marking E-mails Containing FOUO

Needs to be marked in the subject line and body. Must only go to people with a need to know.

Step 4 - Provide Records in Person

Notify the requester when and where records will be available for inspection or copying, and comply with the requester's instructions if feasible. When a requester reviews records in person, the manager or designee must be present and observe the requester's handling of the records.

A Privacy Act complaint and violations

Occur when responsibilities aren't maintained and when an agency or individual knowingly or willfully fails to comply. An allegation that an agency or its employees violated a specific provision.

OMB

Office of Management Budget

OPR

Office of Primary Responsibility

Federal Register (FR)

Official journal of the federal government of the United States that contains government agency rules, proposed rules, and public notices. It is published daily to the internet, except on federal holidays. It is a way for the government to announce changes to government requirements, policies and guidance to the public. The FR is compiled by the Officer of the Federal Register.

Step 4 - Provide Records

Once records are located, provide them to the requester as soon as practical, unless they should be withheld (refer to exemptions).

OPREP

Operational Report

___________________ must promptly notify individuals in the event their personal information is lost, stolen or compromised.

Organizations

Air Force Civil Liberties Officer

Oversee the AF Civil Liberties program with execution by the AF Civil Liberties Point of Contact (POC). Review and approve AF Civil Liberties reports prior to submission to Defense Policy and Civil Liberties Office (DPCLO).

What action(s) must be taken in the event of an unauthorized disclosure?

PII breaches must be reported to installation Privacy Official by anyone discovering it. In return, the Privacy Manager/Monitor will submit a Preliminary PII Incident Report by unencrypted email according to the timeline to create the PII Incident Final Report. PII Breach Reports shall be completed using DD Form 2959, Breach of Personally Identifiable Information (PII) Report.

Misdirected FOIA requests are

forwarded to the applicable RSC. The response period for those are 10 days from the date the request is first received by any RSC or the date the correct RSC received the request, whichever is earlier.

SAFE

Safe Access File Exchange

Step 4 - Provide Records in writing

Send the requested information or copies of records to the requester via certified mail, return receipt service requested, as soon as any required fees or statement of release are received.

Air Force Civil Liberties POC

Serve as the AF member of the DoD Defense Civil Liberties board. Review AF publications and policies to support the proper protection of civil liberties. Maintain the AF Civil Liberties website to ensure training materials, and civil liberties directions are current. Create and maintain the Annual Civil Liberties ADLS training.

Military Limitations

Service members must exercise their civil liberties in a manner consistent with good order and discipline.

What plan is intended to reduce or eliminate the use of SSN in DoD and AF systems of records?

Social Security Number Removal Plan

How to Access a PIA for Review

Step 1 - Access the Air Force Privacy Act Home Page at http://www.privacy.af.mil Step 2 - Locate Quick Links (top right) and select "Privacy Impact Assessments" Step 3 - Select the Privacy Impact Assessment for the system you wish to review

Process a request for PA information:

Step 1 - Verify Identity of the Requester Step 2 - Determine Sufficiency of Request Step 3 - Respond to the Requester Step 4 - Provide Records Step 5 - Record Disclosures

Steps for Accessing the Air Force FOIA Library and Locating Records

Step 1. Access http://www.foia.af.mil. Step 2. Select FOIA Library (third tab) Step 3. Select AF FOIA Library (Frequently Requested FOIA Documents/Proactive Disclosures). Step 4. Select AF FOIA Library (on the left). Step 5. Enter search information.

Steps for Reviewing End of Year Reports

Step 1. Access http://www.foia.af.mil. Step 2. Select _______ _______ (tab at top of page). Step 3. Select the applicable report.

SOR

System of Record

SORN

System of Record Notice

Complex

Take time and cause significant impact on units. May include records sought maximum in volume. Multiple organizations must review/coordinate on requested records. Records may be classified, originated with a non-government source, are part of the Air Force's decision-making process, or are privileged.

Step 11

The FOIA Manager conducts a FOIA and PA exemption review.

Step 4

The FOIA Manager determines the Office of Primary Responsibility (OPR).

Step 5

The FOIA Manager forwards request to the OPR with a suspense for completion.

Step 8

The FOIA Manager forwards the request to the Legal Office.

Step 2

The FOIA Manager inputs the request information into eFOIA.

Step 3

The FOIA Manager prepares and sends a letter of acknowledgment to the requestor along with a tracking number.

Step 12

The FOIA Manager provides information to requester.

Step 1

The FOIA Manager receives the FOIA request.

Step 9

The Legal Office conducts a review of the request to ensure the release or denial of information is in compliance with law.

Step 10

The Legal Office returns the request to the FOIA Manager.

Step 6

The OPR conducts a review and determines what info can be released or denied.

Step 7

The OPR returns the request to the FOIA Manager.

Who is responsible for ensuring the FOIA Request for Records "reasonably" describes the records sought?

The Requester is.

Methods of Disposal

The methods include pulping, macerating, tearing, burning, shredding or via recycling through the Defense Reutilization and Marketing Office (DRMO). Records stored on magnetic media are destroyed by degaussing or overwriting according to established guidelines.

Requester

The person who submits a request for records in writing to the agency. He/she is responsible for ensuring the request "reasonably "describes the records sought.

Social Security Number Removal Plan

The plan is intended to reduce or eliminate the use of SSN in DoD and AF systems of records, IT systems, and forms.

FOIA Exemptions

The releasing and denying of records is based on the statutes that govern the request. Congress established categories called FOIA Exemptions to prevent the release of information that would be harmful to the government or private interest. There are nine exemptions.

Within how many workdays should the SOR owner provide requested records?

They will get a copy of the requested record within 20 workdays of receiving the request.

Legal Office

They will perform a review of all FOIA requests for records to ensure the FOIA representatives are following applicable laws and instructions. They will also determine whether one or more statutory exemptions permit withholding of information.

Protecting privacy information is the responsibility of

every federal employee, military member, and contractor who handles PII contained in any record.

The purpose of a PIA

To ensure there is no collection, storage, access, use or dissemination of PII that is not both needed and permitted.

Unit Privacy Monitor will:

Track assigned personnel privacy training and forward information to the Base PA OPR. Provide specialized training to individuals who handle personal information or PII on a daily or routine basis. Provide direction to the commander/equivalent to assist with resolution of privacy breaches, complaints, and violations. Submit quarterly reports and/or other required reports as directed by their privacy manager. Maintain copies of approved file plans with SOR for the purpose of identifying records protected under the PA of 1974 to assist with conducting inspections or PA requests. Process PA Requests as directed by the Base Privacy Manager.

Unauthorized Disclosure

Unauthorized disclosure occurs when an individual or individuals gain access to any information without permission.

determines whether the information

information owner

FOUO is defined as

a dissemination control applied by the Department of Defense (DoD) to unclassified information when disclosure to the public of that particular record, or portion of the record, would reasonably be expected to cause harm to an interest protected by one or more exemptions

System of Record Notice (SORN)

a legal document that describes the kinds of personal data collected and maintained in a SOR. It also describes what the records are used for, and how an individual may access or contest the records in the system. They're published in the Federal Register to provide the public an opportunity to comment before implementing the SOR. The records may be in paper format or in a database.

Upon receipt of the request,

a letter of acknowledgement is sent to the requester along with a tracking number.

PII breach

an actual or possible loss of control, compromise or any unauthorized disclosure of PII whether electronic or physical

Safe Access File Exchange (SAFE)

an application used to securely exchange files.

Official Records

any information in any format, including email, reports and presentations (electronic or printed), handwritten notes, databases, spreadsheets, maps, and photos.

System of Record (SOR)

defined as a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. Records kept in a __________ must be identified on a file plan.

According to the provisions of chapter 33 of title 44, U.S.C. and Air Force records management directives

disposing of record copies of FOUO documents, consult with a Records Professional. Record copies are official and shall be disposed

Only officially approved System of Record

eFOIA

DoD Civil Liberties Program

ensures the Air Force has adequate procedures to receive, investigate, respond to, and provide redress for complaints from individuals who allege the AF has violated their civil liberties.

Privacy Act (PA)

established a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies. Requires that each federal agency maintains it.


Ensembles d'études connexes

Differentiation & Technology ED448S

View Set

Legal and ethical issues in counseling

View Set

Chapter 14: Fraud Against Organizations

View Set