It is critical that DHS employees and contractors understand how to properly safeguard personally identifiable information (PII), since a lack of awareness could lead to a major privacy incident and result in harm to the agency’s mission and reputation. Therefore, implementing a privacy awareness training program so all your employees can actively protect PII is vital. From how to stop phishing attacks to best practices for data management and protection, there are numerous fundamentals involved in securing PII. Listed here are some ideas to help you raise awareness and establish a culture of privacy in your organization.
Congress and the Office of Management and Budget (OMB) have mandated privacy training for employees, contractors, detailees, interns and consultants at all federal Executive Branch agencies to help staff identify and mitigate privacy risks related to PII.
- OMB Circular No. A-130, Managing Information as a Strategic Resource, Appendix II, Responsibilities for Managing Personally Identifiable Information, 81 Fed. Reg. 49,689 (July 28, 2016); (See Appendix I Section 4(h)(1), (2), (4) and (5)).
- National Institutes for Standards and Technology (NIST) Risk Management Framework, specifically described in NIST Special Publication (SP) 800-53 Rev. 4, App. J, (see Privacy Control AR-5)
- Homeland Security Acquisition Regulation Class Deviation 15-01: Safeguarding of Sensitive Information or
- Federal Acquisition Regulation standard contract clause 52.224-3
Privacy training should: (1) inform staff about your privacy risk management framework and policies; (2) inform staff of the role and function of your Privacy Office; and (3) convey the proper methods to safeguard PII to prevent its compromise.
- The DHS Handbook for Safeguarding Sensitive PII contains best practices and DHS policy requirements to prevent a privacy incident involving PII during all stages of the information lifecycle: when collecting, storing, accessing, sharing or destroying PII.
New employee training: It is important to train all staff when they onboard before they access PII, especially those who will handle PII regularly. A privacy overview can be included in a new hire orientation program. Learning objectives should include understanding their responsibilities as a data steward to identify and safeguard PII, and when and how to report a privacy incident.
Mandatory annual refresher training: Most people prefer classroom training, but to reach all staff on an annual basis to fulfill training mandates, computer-based training is easier to implement and maintain, and metrics are easier to track. Privacy Officers should monitor completion rates and target training resources towards those offices that are delinquent on such training.
- Both feds and contractors need to complete the DHS mandatory annual online privacy awareness training in your Component’s Learning Management System: Privacy at DHS: Protecting Personal Information.
- Contractors can complete this course before they onboard DHS by accessing it on this website at: https://www.dhs.gov/xlibrary/privacy_training/index.htm
Role-based training: Create customized courses specific to the needs of staff who have significant access to paper files or IT systems that contain PII as a core element of their job responsibilities.
- Staff handling PII might include: Administrative Officer, Human Resources, Payroll Processor, Claims Analyst, ISSOs, Program Managers, or Database Administrators, Personnel Security Officer, or Procurement/Acquisitions.
- Training topics might include: use of social media and mobile applications, embedding privacy into contracts, and storing PII securely on SharePoint and network shared drives.
You can augment privacy training with creative events and activities to promote the ongoing awareness of privacy responsibilities, and help staff identify and mitigate privacy risks. DHS staff surveys show that people like to receive privacy messages all year long, through a variety of distribution channels. These reminder messages should be short and relevant, and repeated often to help change behavior.
- Email a monthly privacy newsletter with privacy-protection tips.
- Organize a lunch-and-learn session on privacy best practices.
- Plan a Privacy Day/Week featuring speakers on data protection topics.
- Display posters in elevators, lunchrooms, pantries, and copier rooms.
- Distribute swag with privacy protection messages, including mouse pads, pens, door hangers, webcam covers, and bookmarks.
- Distribute factsheets detailing how to safeguard PII
- Organize burn bag contests to destroy paper and electronic files containing PII.
- Post privacy protection resources on your intranet site.
- Send periodic email campaigns with privacy tips:
- How to Properly Email Sensitive PII
- How to Spot Insider Threat
- How to Spot a Phishing Email
- How to Safeguard Sensitive PII and Defend Against Identity Theft
- How to Minimize the Proliferation of Sensitive PII
- How to Report a Privacy Incident
- How to Restrict Access to Sensitive PII on a Shared Drive and SharePoint
Use these methods to determine if your training and awareness activities are effective:
- Course completions: Automate course completions through your learning management system and/or website to determine what percentage of your workforce, including contractors, is completing your annual online privacy training course.
- Incident reporting: These activities may cause a temporary spike in the number of privacy incidents reported. Your goal is to reduce privacy incidents over time as awareness increases. Also, be sure to update your training and awareness programs to reflect the most common incident types.
- Websites: Be sure to include a call-to-action in your awareness activities, for example, send people to the privacy resources on your websites and then track page hits and downloads.