Critical analysis needed 1
What is a privacy impact assessment (PIA)?
A privacy impact assessment states what personally identifiable information (PII) is collected and explains how that information is maintained, how it will be protected and how it will be shared.
Name and briefly describe 3 best practices for federal government IT managers who are charged with preparing a PIA.
Threshold Assessment: The first step in undertaking a PIA is assessing whether a PIA is necessary for the project. Not every project will need a PIA. If an entity bound by the Privacy Act is developing a project that involves personal information, it must comply with that Act.
Planning the PIA is an important stage of the PIA process. Planning should consider a range of elements, including: how detailed the PIA needs to be, based on a broad assessment of the project and its privacy scope who will conduct the PIA the timeframe for the PIA the budget and other resources available for the PIA the extent and timing of stakeholder and public consultations steps that will need to be taken after the PIA, including implementation of recommendations and ongoing monitoring.
Describe the project: A PIA needs a broad, ‘big picture’ description of the project, including: the project’s overall aims how these aims fit with the organization or agency’s broader objectives the project’s scope and extent any links with existing programs or other projects who is responsible for the project timeframe for decision-making that will affect the project’s design some of the key privacy elements – for example, the extent and type of information that will be collected, how security and information quality are to be addressed, and how the information will be used and disclosed.
Name and briefly describe 3 "worst" practices for protecting privacy of individuals whose information is collected, processed, transmitted, and stored in federal government IT systems and databases.
1. Insiders who make innocent mistakes and cause accidental disclosures. Accidental disclosure of personal information probably the most common source of breached privacy happens in myriad ways, such as overheard conversations between care providers in the corridor or elevator, a laboratory technician's noticing test results for an acquaintance among laboratory tests being processed, information left on the screen of a computer in a nursing station so that a passerby can see it, misaddressed e-mail or fax messages, or misfiled and misclassified data.
2. Insiders who abuse their record access privileges. Examples of this threat include individuals who have authorized access to health data (whether through on-site or off-site facilities) and who violate the trust associated with that access. Health care workers are subject to curiosity in accessing information they have neither the need nor the right to know.
3. Insiders who knowingly access information for spite or for profit. This type of threat arises when an attacker has authorization to some part of the system but not to the desired data and through technical or other means gains unauthorized access to that data.
Retrieved from http://searchcompliance.techtarget.com/definition/Privacy-impact-assessment-PIA
Retrieved from https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-undertaking-privacy-impact-assessments#undertaking-a-pia
Retrieved from http://www.nap.edu/read/5595/chapter/5#60