U.S. Government Privacy Certification - International Association of ...

copyright © 2011, IAPPU.S. Government Privacy CertificationProgram IntroductionOverviewThe IAPP is proud to offer the first, publicly available privacy certification for employees of U.S.federal government agencies, U.S. state and local governments, and the vendors and suppliers whoserve government customers.The Certified Information Privacy Professional/Government (CIPP/G) was developed by theIAPP with the assistance of leading privacy officers from U.S. government organizations. Theseinclude U.S. federal agencies such as the Postal Service, the Department of Justice, the Departmentof Veterans Affairs, the Office of Management and Budget and the Internal Revenue Service as wellas U.S. state agencies such as the California Department of Consumer Affairs. Leading governmentservices vendors IBM Corporation, MITRE Corporation, PricewaterhouseCoopers and SRAInternational also advised the development of the course curriculum as well as the delivery oftraining programs and reference materials.The CIPP/G program is offered exclusively by the IAPP and is made possible through thegenerous support of IBM Corporation.Who Should ApplyCIPP/G candidates are accepted from any one of the following categories:U.S. Federal Government• Officers and employees with privacy-related responsibilities or obligations such as privacyofficers, compliance managers, records managers, access-to-information coordinators,information security managers, information auditors, etc.• Officers and employees at regulatory agencies who handle privacy as part of their day-todayrolesPease International Tradeport ∙ 75 Rochester Avenue. Suite 4 ∙ Portsmouth, NH 03801 USA ∙+1 603.427.9200 ∙ certification@privacyassociation.org1

copyright © 2011, IAPP• Individuals who advise senior officers with government on information management policiesand practices specifically as these relate to personal information such as recordsmanagement or record retention• Information technology officers (CIO, CTO, CISO, IS manager)U.S. State and Local Governments• Officers and employees with privacy-related responsibilities or obligations such as privacyofficers, compliance managers, records managers, access-to-information coordinators,information security managers, information auditors, etc.• Information technology officers (CIO, CTO, CISO, IS Manager)Private Sector Organizations• Attorneys, consultants, independent professionals and/or employees of vendor companieswho serve clients in U.S. Federal, state or local governments• Existing Certified Information Privacy Professionals (CIPPs) who wish to add a governmentprivacy specialization to their core credential.Certification RequirementsIn order to become certified in U.S. government privacy, candidates must complete and pass boththe IAPP Certification Foundation Examination and the CIPP/G Examination (offered separately) for agrand total of three hours of testing. These examinations are offered exclusively by the IAPP. Theyare administered on-site at select conferences and testing events that are held throughout theUnited States each year.• First-time candidates for IAPP privacy certification (e.g. individuals who do notpresently hold any IAPP certification) must activate an IAPP membership at any level inadvance of their test (special discounted rates for IAPP membership are available to U.S.government employees). Candidates must then pass both the Certification FoundationExamination, a two-hour, three-part, 120-item, objective test and the CIPP/G Examination,a one-hour, two-part, 60-item, objective test.• Existing IAPP-certified professionals (e.g. individuals who presently hold a CIPP,CIPP/C, CIPP/E or CIPP/IT certification) are “grandfathered” into the Foundation testingrequirement but must still meet the CIPP/G testing requirement by passing the CIPP/GExamination, a one-hour, two-part, 60-item, objective test.“Successful completion” of CIPP/G is defined as an aggregate score of 70% or greater oneach exam (as applicable under each scenario above). This means at least 84 out of 120 total pointsfor Certification Foundation exam and at least 42 out of 60 total points for CIPP/G exam. Partialcompletion of either exam will result in no credential being awarded until such time that allrequirements are met. The exams may be taken in sequence at the same sitting or separately atdifferent testing events.Pease International Tradeport ∙ 75 Rochester Avenue. Suite 4 ∙ Portsmouth, NH 03801 USA ∙+1 603.427.9200 ∙ certification@privacyassociation.org2

copyright © 2011, IAPPUpon successful completion of both of the above referenced examinations, the CIPP/Gcertification becomes active on the date of the most recent examination and remains in forceannually provided that:(1) Once certified, the CIPP/G credential holder keeps the IAPP membership status current andin good standing each year; and,(2) Once certified, the CIPP/G credential holder also satisfies a minimum of 10 credit hours ofcontinuing privacy education each year.Continuing privacy education (“CPE”) is defined as any program, event, forum, book,presentation, speaking engagement or teaching engagement that relates in whole to informationprivacy, security, auditing, risk management or legal compliance whether provided by the IAPP oranother sanctioning body. Specific guidelines on CPE-eligible programs and application processes areavailable for review under the “Continuing Education” section of the IAPP Web site atwww.privacyassociation.org.Course FormatThe pages that follow this program introduction describe the CIPP/G Common Body of Knowledge(“CBK”) in outline form. The course consists of two sections:I. U.S. Government Privacy LawsII. U.S. Government Privacy PracticesCBK Section I addresses privacy laws, regulations and policies –those specific to governmentpractice as well as those more broadly applicable to both the public and private sectors in the UnitedStates.CBK Section II describes government-standard practices for privacy program development andmanagement, privacy auditing and records management as well as reporting obligations andprogram controls.Course ReferencesTraining for CIPP/G certification is optional and available through the IAPP Certification FoundationTraining Workshop and the CIPP/G Training Workshop for a grand total of seven hours of instruction.Each of these courses is available for purchase online (as a CD-ROM courseware package) as well ason-site (as live classroom sessions at select IAPP conferences and partner events).Additional CIPP/G reference materials include:• All chapters from “U.S. Government Privacy: Essential Policies and Practices for PrivacyProfessionals” by Julie McEwen, CIPP/G, CISSP and Dr. Stuart Shapiro, CIPP/G (IAPP,2008). ISBN #978-0-9795901-1-5.Pease International Tradeport ∙ 75 Rochester Avenue. Suite 4 ∙ Portsmouth, NH 03801 USA ∙+1 603.427.9200 ∙ certification@privacyassociation.org3

copyright © 2011, IAPPU.S. Government Privacy CertificationOutline of the Common Body of Knowledge (“CBK”)for the Certified Information Privacy Professional/U.S.Governmment (“CIPP/G”)I. U.S. Government Privacy LawsA. Privacy Definitions and Principlesa. Privacy Definitionsi. Privacy and personally identifiable information (PII)b. Privacy Basicsi. Privacy as a core value in U.S. government1. Confidence and trust2. Mission effectivenessii. Privacy incidents in U.S. government1. Federal agency data breaches2. State and local government data breachesc. Fair information practicesi. The U.S. Department of Housing Education and Welfare (“HEW”) Reportof 1973B. U.S. Public and Private Sector Information Privacy Lawsa. Laws affecting both government and industryi. Health Insurance Portability and Accountability Act of 1998 (“HIPAA”)ii. Health Information Technology for Economic and Clinical Health Act of2009 (HITECH)iii. Children’s Online Privacy Protection Act of 2000 (“COPPA”)iv. Financial Services Modernization Act of 1999 (“Gramm-Leach-Bliley Act”or “GLBA”)Pease International Tradeport ∙ 75 Rochester Avenue. Suite 4 ∙ Portsmouth, NH 03801 USA ∙+1 603.427.9200 ∙ certification@privacyassociation.org4

copyright © 2011, IAPPb. Laws compelling the disclosure of personal datai. Bank Secrecy Act of 1970ii. Foreign Intelligence Surveillance Act of 1978 (“FISA”)iii. Right to Financial Privacy Act of 1978iv. Electronic Communications Privacy Act of 1986 (“ECPA”)v. Uniting and Strengthening America by Providing Appropriate ToolsRequired to Intercept and Obstruct Terrorism Act of 2001 (“USA-PATRIOT”)vi. The Real ID Act of 2005C. Information Privacy Laws for U.S. Government Practicea. The Freedom of Information Act of 1974 (“FOIA”)i. Publicly available information1. Regulationsii. FOIA requests1. Exemptions under the Act2. Exclusions under the Actb. The Privacy Act of 1974 (as amended)i. System of records1. Definition2. System of Records Notices (“SORN”)a. How definedb. Routine Usesc. Data management requirementsd. Data sharingi. Internallyii. Externallyiii. Accounting of disclosurese. Federal Register requirementsi. When triggeredii. Notice requirementsiii. Periodic reviewsiv. Noticesii. Exemptionsiii. Contractorsiv. Notice to individuals1. When required2. How implemented3. Contentc. The E-Government Act of 2002i. Website privacy policy (Section 208)1. Consent to collection and sharing2. Rights under other privacy lawsa. Requirements on agenciesb. Rights of individualsii. Modifications to prior OMB guidelines1. Notice options2. Machine-readable privacy policyPease International Tradeport ∙ 75 Rochester Avenue. Suite 4 ∙ Portsmouth, NH 03801 USA ∙+1 603.427.9200 ∙ certification@privacyassociation.org5

copyright © 2011, IAPPiii. Key Office of Management and Budget (“OMB”) Memoranda1. OMB M-03-22: Guidance for Implementing the Privacy Provisionsof the E-Government Act2. Modifications under M-03-022a. OMB M-99-05: Privacy Responsibilitiesb. OMB M-99-18: Privacy Policies on Federal Web sitesc. OMB M-00-13: Privacy Policies and Data Collection onFederal Web sitesiv. Privacy Impact Assessments (“PIA”)1. When required2. Timing3. Content4. Exceptionsa. National security systemsb. Systems previously assessed under a PIAc. Internal government operationsd. Systems collecting non-PIIi. Government Websites5. PIAs versus SORNs6. Publication requirements7. Reporting requirements8. Relationship to The Privacy Act of 1974d. Consolidated Appropriations Act of 2005i. Chief Privacy Officer and Audit provisionse. The Data Quality Act of 2002i. OMB guidanceii. Agency requirementsiii. Administrative mechanismsiv. Periodic reportingf. The Federal Information Security Management Act of 2002 (“FISMA”)i. Federal agency responsibilities1. Agency program2. Agency reporting3. Performance programii. System vs. Enterprise compliance1. PIA versus security certification and accreditation (“C&A”)2. National Institute of Standards and Technology (“NIST”) riskmanagement frameworka. SP 800-122: Guide to Protecting the Confidentiality ofPersonally Identifiable Information (PII)iii. OMB reporting instructions for FISMAg. Requirements under Section 803 of the Implementing Recommendations of the9/11 Commission Act of 2007h. The Federal Agency Data Mining Reporting Act of 2007i. Federal open meetings lawsi. Federal Advisory Committee Act (“FACA”)ii. Government in the Sunshine Actj. Open Government Directivei. OMB M-10-06Pease International Tradeport ∙ 75 Rochester Avenue. Suite 4 ∙ Portsmouth, NH 03801 USA ∙+1 603.427.9200 ∙ certification@privacyassociation.org6

II.U.S. Government Privacy Practicescopyright © 2011, IAPPA. Privacy Program Management and Organizationa. Program developmenti. Program elementsb. Program managementi. FISMA modelc. Federal agency responsibilitiesi. Office of Management and Budget (“OMB”)1. OMB Circular A-130a. Assignment of responsibilities (Appendix 1)2. Reporting requirementsa. Biennial Matching Activity Reportb. New and Altered Systems of Records Reportc. New or Altered Matching Program Report3. Publication requirementsa. Publishing New or Altered Systems of Records Noticesand Exemption Rulesb. Publishing Matching Notices4. OMB Memoranda on protection of personally identifiableinformation (“PII”)a. M-07-16: Safeguarding Against and Responding To theBreach of Personally Identifiable Informationb. M-06-15: Safeguarding Personally IdentifiableInformationc. M-06-16: Protection of Sensitive Agency Information5. OMB Memoranda on data sharinga. M-11-02: Sharing Data while Protecting Privacyb. M-01-05: Guidance on Inter-agency Sharing of PersonalData – Protecting Personal Privacyc. M-04-26: Personal Use Policies and File SharingTechnologyd. U.S. Department of Homeland Security white papere. The President’s identity theft task force report6. OMB Memoranda on incident responsea. M-09-07: Recommendations for Identity Theft RelatedData Breach Notification Guidanceb. M-06-19: Reporting Incidents Involving PersonallyIdentifiable Information and Incorporating the Cost forSecurity in Agency Information Technology Investmentsc. M-07-16: Safeguarding Against and Responding To theBreach of Personally Identifiable Information7. OMB Memoranda on functional positions for privacya. M-05-08: Designation of Senior Agency Officials forPrivacy8. OMB Memoranda on Websites & Website Measurement, SocialMediaa. M-10-22: Guidance for Online Use of Web Measurementand Customization Technologiesb. M-10-23: Guidance for Agency Use of Third-partyWebsites and ApplicationsPease International Tradeport ∙ 75 Rochester Avenue. Suite 4 ∙ Portsmouth, NH 03801 USA ∙+1 603.427.9200 ∙ certification@privacyassociation.org7

copyright © 2011, IAPPd. U.S. Government workforce managementi. Workforce hiring considerations1. Office of Personnel Management (“OPM”)2. Background screening and investigationsa. Levels of screeningb. Financial and medical recordsii. Office of Personnel Management (“OPM”)1. OPM Memorandum: Guidance on Protecting Federal EmployeeSocial Security Numbers and Combating Identity Theft (June 18,2007)e. Privacy policy enforcementi. Single or multiple policies for each agencyii. Sample approaches1. Census Bureau2. Internal Revenue Service (“IRS”)3. Department of Homeland Security (“DHS”)4. Department of Defense (“DoD”)B. Records Managementa. Management Processi. OMB Circular A-130b. Record retentionc. Inter-agency sharing of personal datai. M-01-05: Guidance on Inter-agency Sharing of Personal Data –Protecting Personal Privacyd. Personal use policies and “file sharing” technologyi. OMB M-04-16: Software Acquisitione. Common Rule for Protection of Human Subjectsi. Institutional review boards (“IRBs”)f. Disclosure of PII for statistical or research purposesi. Definition: government source to third partiesC. Auditing and Compliance Monitoringa. Auditingi. Pre-audit (e.g. “PIA”)ii. Post-audit (e.g. periodic review of disclosure audit trails)iii. Assessments vs. auditsb. Compliance monitoring and reportingi. Office of Management and Budget (“OMB”)ii. Inspector General (“IG”)iii. General Accounting Office (“GAO”)iv. Department of Justice (“DOJ”)v. Department of Health and Human Services(“HHR”)1. Office of Civil Rights (“OCR”)Pease International Tradeport ∙ 75 Rochester Avenue. Suite 4 ∙ Portsmouth, NH 03801 USA ∙+1 603.427.9200 ∙ certification@privacyassociation.org8