It is critical that DHS employees and contractors understand how to properly safeguard personally identifiable information (PII), since a lack of awareness could lead to a major privacy incident and harm an agency’s reputation. Therefore, implementing a privacy awareness training program to equip all of your employees to proactively protect PII is vital. From how to stop phishing attacks to best practices for data management and protection, there are numerous fundamentals involved in securing PII. Listed here are some ideas to help you raise awareness and establish a culture of privacy in your organization based on what we do at DHS.
Congress and the Office of Management and Budget (OMB) have mandated privacy training for employees, contractors, detailees, interns, and consultants at all federal Executive Branch agencies to help staff identify and mitigate privacy risks related to PII.
- OMB Circular No. A-130, Managing Information as a Strategic Resource, Appendix II, Responsibilities for Managing Personally Identifiable Information, 81 Fed. Reg. 49,689 (July 28, 2016); (See Appendix I Section 4(h)(1), (2), (4) and (5)).
- National Institutes for Standards and Technology (NIST) Risk Management Framework, specifically described in NIST Special Publication (SP) 800-53 Rev. 4, App. J, (see Privacy Control AR-5)
- Homeland Security Acquisition Regulation Class Deviation 15-01: Safeguarding of Sensitive Information or
- Federal Acquisition Regulation standard contract clause 52.224-3
Privacy training should: (1) inform staff about your privacy risk management framework and policies; (2) describe the role and function of your Privacy Office; and (3) convey the proper methods to safeguard PII to prevent its compromise.
- The DHS Handbook for Safeguarding Sensitive PII contains DHS policy requirements to prevent a privacy incident involving PII during all stages of the information lifecycle: when collecting, storing, accessing, sharing, or destroying PII.
New employee training: It is important to train all staff when they onboard before they access PII, especially those who will handle PII regularly. A privacy overview can be included in a new hire orientation program. Learning objectives should include understanding their responsibilities as a data steward to identify and safeguard PII, and when and how to report a privacy incident.
Mandatory annual refresher training: With the assistance of the Privacy Officer, the Department utilizes a computer-based training module to ensure all Department employees complete their annual privacy training requirement on a timely basis. Privacy Officers should monitor completion rates and target training resources towards those offices that are delinquent on such training.
- Both employees and contractors need to complete the DHS mandatory annual online privacy awareness training in your Component’s Learning Management System: Privacy at DHS: Protecting Personal Information.
- Contractors are required to complete this course before they onboard.
Role-based training: Create customized courses specific to the needs of staff who have significant access to paper files or IT systems that contain PII as a core element of their job responsibilities.
- Staff handling PII might include: Administrative Officer, Human Resources, Payroll Processor, Claims Analyst, ISSOs, Program Managers, or Database Administrators, Personnel Security Officer, or Procurement/Acquisitions.
- Training topics might include: use of social media and mobile applications, embedding privacy into contracts, and storing PII securely on SharePoint and network shared drives.
Promoting Privacy Awareness
You can augment privacy training with creative events and activities to promote the ongoing awareness of privacy responsibilities, and help staff identify and mitigate privacy risks. DHS staff surveys show that people like to receive privacy messages all year long, through a variety of distribution channels. These reminder messages should be short and relevant, and repeated often to help change behavior.
- Privacy newsletter with privacy-protection tips.
- Lunch-and-learn session on privacy best practices.
- Privacy Day/Week featuring speakers on data protection topics.
- Posters in elevators, lunchrooms, pantries, and copier rooms.
- Swag with privacy protection messages: mouse pads, pens, door hangers, webcam covers, and bookmarks.
- Factsheets detailing how to safeguard PII.
- Privacy resources posted on your intranet site.
- Email campaigns with privacy tips:
- How to Properly Email Sensitive PII
- How to Spot Insider Threat
- How to Spot a Phishing Email
- How to Safeguard Sensitive PII and Defend Against Identity Theft
- How to Minimize the Proliferation of Sensitive PII
- How to Report a Privacy Incident
- How to Restrict Access to Sensitive PII on a Shared Drive and SharePoint
Use these methods to determine if your training and awareness activities are effective:
- Course completions: Automate course completions through your learning management system and/or website to determine what percentage of your workforce, including contractors, is completing your annual online privacy training course.
- Incident reporting: Awareness activities may cause a temporary spike in the number of privacy incidents reported. Your goal is to reduce privacy incidents over time as awareness increases. Also, be sure to update your training and awareness programs to reflect the most common incident types.
- Websites: Be sure to include a call-to-action in your awareness activities, for example, send people to the privacy resources on your websites and then track page hits and downloads.