It is critical that DHS employees and contractors understand how to properly safeguard personally identifiable information (PII), since a lack of awareness could lead to a major privacy incident and harm an agency’s reputation. Therefore, implementing a privacy awareness training program to equip all of your employees to proactively protect PII is vital. From how to stop phishing attacks to best practices for data management and protection, there are numerous fundamentals involved in securing PII. Listed here are some ideas to help you raise awareness and establish a culture of privacy in your organization based on what we do at DHS.
Requirements
Congress and the Office of Management and Budget (OMB) have mandated privacy training for federal employees and contractors at all federal Executive Branch agencies to help staff identify and mitigate privacy risks.
Federal Statute
- 5 U.S.C. § 552a, Privacy Act of 1974, as amended.
OMB/Government-wide Regulations and Guidelines
- OMB Circular No. A-130, Management of Federal Information Resources, updated July 28, 2016. See Appendix I on page 11.
- Agencies shall develop, maintain, and implement mandatory agency-wide information security and privacy awareness and training programs for all employees and contractors.
- National Institutes for Standards and Technology (NIST) Risk Management Framework, specifically described in NIST Special Publication (SP) 800-53 Rev. 5, September 2020. See pp. 59-64.
- Provide security and privacy literacy training to system users (including managers, senior executives, and contractors) as part of initial training for new users and when required by system changes.
- OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, January 2017. See page 10.
- OMB Circular No. A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act, December 2016. See page 36.
DHS Policy
- DHS Delegation 13001, Delegation to the Chief Privacy Officer, June 2020.
- DHS Directive 047-01, Privacy Policy and Compliance, July 2011.
For Government Contractors:
- Homeland Security Acquisition Regulation Class Deviation 15-01: Safeguarding of Sensitive Information, March 2015. See Information Technology Security and Privacy Training.
- Federal Acquisition Regulation standard contract clause. See Part 52.224.3, Privacy Training.
Courseware
Privacy training should: (1) inform staff about your privacy risk management framework and policies; (2) describe the role and function of your Privacy Office; and (3) convey the proper methods to safeguard PII to prevent its compromise.
- The DHS Handbook for Safeguarding Sensitive PII contains DHS policy requirements to prevent a privacy incident involving PII during all stages of the information lifecycle: when collecting, storing, accessing, sharing, or destroying PII.
New employee training: It is important to train all staff when they onboard before they access PII, especially those who will handle PII regularly. A privacy overview can be included in a new hire orientation program. Learning objectives should include understanding their responsibilities as a data steward to identify and safeguard PII, and when and how to report a privacy incident.
Mandatory annual refresher training: With the assistance of the Privacy Office, the Department utilizes a computer-based training module to ensure all Department employees complete their annual privacy training requirement on a timely basis. Privacy Officers should monitor completion rates and target training resources towards those offices that are delinquent on such training.
- DHS employees and contractors are required to complete the annual online privacy awareness training: Privacy at DHS: Protecting Personal Information within the Learning Management System.
- DHS contractors are required to complete the same course preferably before they onboard; if not, within 30 days of onboarding.
Role-based training: Create customized courses specific to the needs of staff who have significant access to paper files or IT systems that contain PII as a core element of their job responsibilities.
- Staff handling PII might include: Administrative Officer, Human Resources, Payroll Processor, Claims Analyst, ISSOs, Program Managers, or Database Administrators, Personnel Security Officer, or Procurement/Acquisitions.
- Training topics might include: use of social media and mobile applications, embedding privacy into contracts, and storing PII securely on SharePoint and network shared drives.
You can augment privacy training with creative events and activities to promote the ongoing awareness of privacy responsibilities, and help staff identify and mitigate privacy risks. DHS staff surveys show that people like to receive privacy messages all year long, through a variety of distribution channels. These reminder messages should be short and relevant, and repeated often to help change behavior.
Ideas include:
- Privacy newsletter with privacy-protection tips.
- Lunch-and-learn session on privacy best practices.
- Privacy Day/Week featuring speakers on data protection topics.
- Posters in elevators, lunchrooms, pantries, and copier rooms.
- Swag with privacy protection messages: mouse pads, pens, door hangers, webcam covers, and bookmarks.
- Factsheets detailing how to safeguard PII.
- Privacy resources posted on your intranet site.
- Email campaigns with privacy tips:
- How to Properly Email Sensitive PII
- How to Spot Insider Threat
- How to Spot a Phishing Email
- How to Safeguard Sensitive PII and Defend Against Identity Theft
- How to Minimize the Proliferation of Sensitive PII
- How to Report a Privacy Incident
- How to Restrict Access to Sensitive PII on a Shared Drive and SharePoint
Use these methods to determine if your training and awareness activities are effective:
- Surveys: Distribute a participant survey at every training event to gather feedback and measure training effectiveness. You can also survey your staff to assess privacy policy awareness.
- Course completions: Automate course completions through your learning management system and/or website to determine what percentage of your workforce, including contractors, is completing your annual online privacy training course.
- Incident reporting: Awareness activities may cause a temporary spike in the number of privacy incidents reported. Your goal is to reduce privacy incidents over time as awareness increases. Also, be sure to update your training and awareness programs to reflect the most common incident types.
- Websites: Be sure to include a call-to-action in your awareness activities, for example, send people to the privacy resources on your websites and then track page hits and downloads.