1919 Personally Identifiable Information Processing and Transparency Policy
|
Department of Human Services |
Index: |
POL1919 |
Revised: |
06/02/2025 |
||
Next Review: |
06/02/2027 |
Subject: DHS Information Security Policies
Policy
This policy establishes the Personally Identifiable Information Processing and Transparency Policy, for managing risk associated with information assets, information leakage, and network vulnerabilities. The Personally Identifiable Information Processing and Transparency Policy and associated plans, augment DHS mission, by proactively identifying threats and vulnerabilities, which can result in consequences (impact).
Authority
-
United States Department of Commerce National Institute for Standards and Technology (NIST)
-
United States Internal Revenue Service
-
United States Department of Health & Human Services – Administration of Children and Families (ACF), Office of Child Support Services (OCSS)
-
United States Department of Health & Human Services - Centers for Medicare & Medicaid Services (CMS)
-
Georgia Technology Authority
-
Social Security Administration
-
Federal Bureau Investigation (Criminal Justice Information Services)
References
-
Georgia Technology Authority Enterprise Information Security Policy
-
Centers for Medicare & Medicaid Services, Volume II: Minimum Acceptable Risk Standards for Exchanges
-
Social Security Administration (“SSA”) Electronic Information Exchange Security Requirements and Procedures for State and Local Agencies Exchanging Electronic Information with the Social Security Administration (“TSSR”)
-
ACF/OCSS - Security Agreement
Applicability
The scope of this policy is applicable to all Information Technology (IT) resources owned or operated by DHS. Any information not specifically identified as the property of other parties, that is transmitted or stored on DHS IT resources (including e-mail, messages and files) is the property of DHS. All users (DHS employees, contractors, vendors or others) of IT resources are responsible for adhering to this policy.
Responsibilities
DHS shall adopt the Personally Identifiable Information Processing and Transparency Policy and Procedures. The policy establishes a framework for the processing of Personally Identifiable information and ensures transparency in the management of risks associated with information assets, data breaches, and network vulnerabilities. The following subsections outline the Personally Identifiable Information Processing and Transparency standards that constitute DHS policy. Each DHS Business System is then bound to this policy, and shall develop or adhere to a program plan which demonstrates compliance with the policy related the standards documented.
PT-1 Personally Identifiable Information Processing and Transparency Policy and Procedures
-
Develop, document, and disseminate to designated agency personnel:
-
All organizational level Personally Identifiable Information Processing and Transparency policy that:
-
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
-
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
-
-
Procedures to facilitate the implementation of the Personally Identifiable Information Processing and Transparency policy and the associated access controls;
-
-
Designate an agency official to manage the development, documentation, and dissemination of the Personally Identifiable Information Processing and Transparency policy and procedures; and
-
Review and update the current access control:
-
Policy every one (1) year (or if there is a significant change); and
-
Procedures every one (1) year (or if there is a significant change).
-
PT-2 Authority to Process Personally Identifiable Information
-
Determine and document the IRC § 6103 section that permits the receipt of personally identifiable information; and
-
Restrict the access of personally identifiable information to only that which is authorized
PT-3 Personally Identifiable Information Processing Purposes
-
Identify and document the organization-defined purpose(s) for processing Personally Identifiable Information (PII);
-
Describe the purpose(s) in the public privacy notices and policies of the organization;
-
Restrict the organization-defined processing of PII to only that which is compatible with the identified purpose(s); and
-
Monitor changes in processing PII and implement organization-defined mechanisms to ensure that any changes are made in accordance with organization-defined requirements.
PT-4 Consent
Implement organization-defined tools or mechanisms for individuals to consent to the processing of their Personally Identifiable Information (PII) prior to its collection that facilitate individuals’ informed decision-making.
PT-5 Privacy Notice
Provide notice to individuals about the processing of Personally Identifiable Information (PII) that:
-
Is available to individuals upon first interacting with an organization, and subsequently at organization-defined frequency;
-
Presents clear and easy to understand information about PII processing in plain language;
-
Identifies the authority that authorizes the processing of PII;
-
Identifies the purposes for which PII is to be processed; and
-
Includes any additional information the organization deems necessary to effect compliance with applicable laws, regulations, or policies.
Evaluation
The Office of Information Technology (OIT), upon recommendation of the DHS Chief Information Security Officer (CISO), evaluates this policy annually by:
-
Comparing its content and intent to evolving regulatory compliance standards imposed upon the Agency, such as, IRS 1075, NIST 800-53, and CMS MARS-E.
-
Addressing any deficiencies or gaps discovered during periodic audits conducted by Georgia DOAA or other regulatory bodies, such as, IRS, CMS, SSA, FBI, etc.