IX. Privacy and security
08/21/2018
All DHS staff,
volunteers, and partners share an obligation to safeguard all confidential
information about individuals with whom they come into contact including
consumers, participants, and licensees or providers.
APD and its partners
are committed to both respecting and protecting the privacy and records of the
people who request or receive services and benefits.
Note: Employees and
partners should be up-to-date on mandatory privacy and security training.
A. Reporting a privacy or security incident
A privacy or security
incident is any unplanned or unusual action which resulted in a potential
unauthorized disclosure of protected information. Examples may include:
·
Sending
an email, hard copy mail, or fax to the incorrect person or address;
·
Loss
of paper file, or equipment (laptop, tablet, smartphone) with unencrypted
confidential data;
·
Posting
restricted information to a public website;
·
Forgetting
or leaving protected information in a public location;
·
Leaving
a computer unlocked and unattended so anyone can see protected information.
Any
incident, even ones that happen by accident, must be reported immediately. The Information
Security and Privacy Office (ISPO) understands
accidental violations will occur and are able to assist in resolving the
situation before it can escalate.
Report the incident immediately. You can report to
your supervisor or directly to ISPO by phone, email, or fax:
ISPO
Phone:
503-945-5780
Email: Dhs.privacyhelp@state.or.us
Fax: 503-947-5396
If the incident
involves a lost device, also report is to the OIS Service Desk, 503-945-5623 or dhs.servicedesk@state.or.us.
For more information
on what is involved with reporting a privacy or security incident, please see
the ISPO intranet website.
For
information on sending and retrieving secure email, please see the Secure Email
intranet website.
C. Original
documents left by consumers
Occasionally,
consumers will leave original documents behind on copiers or in interview rooms
which are not found until after the consumer has left the office making it
impossible to hand the document back to them.
If the office finds
original consumer documents, the first step is to contact the consumer to
return the documents and avoid the replacement cost, which can be a hardship;
see below.
When attempts to
contact the consumer have failed, some state and federal agencies require
original identity documents to be returned to the originating agency by mail.
The best practice is to help the consumer avoid leaving
their documents in the first place by asking if they have everything and
looking for documents before the consumer leaves.
1. Dealing with
unclaimed documents
The
local office should keep a log of each original document belonging to a consumer and
the date it was left or found.
Contact the consumer immediately by
phone, email, or other preferred method, to ask them to pick up the document(s).
Consumers
who are unable to pick up original documents themselves may have a previously
authorized person pick them up on their behalf, or request the documents be
returned to them by mail.
·
Documents may be returned by mail
ONLY if:
o
The consumer’s address is known to
be correct or has been verified at the time of the request; and
o
Documents are sent by registered
U.S. mail or other trackable delivery service.
If there is no response from the
consumer after thirty (30) days from the last attempt, return the document to
the appropriate government agency at the address listed below or follow the
directions under Other documents.
Note in the log each attempt to
contact the consumer to return the documents. At least two attempts, on separate days, should be made to contact the
consumer.
2. Addresses for
common documents left behind
Social Security cards
Social
Security Administration
P.O.
Box 33008
Baltimore, MD
21290-3008
Military documents
U.S.
Department of Veteran’s Affairs
Attn:
Found Documents
100
SW Main St., FL2
Portland, OR 97204
U.S. passports
U.S.
Department of State
Consular
Lost/Stolen Passport Section
1111
19th St. NW, Suite 500
Washington, DC 20036
Oregon driver licenses and
identification cards
Oregon
DMV
1905
Lana Ave NE
Salem, OR 97314
Oregon birth certificates
Oregon
Vital Records
800
NE Oregon St., Suite 225
Portland, OR
97232-2162
Note: Only documents issued within the last year should be
sent to Oregon Vital Records. If the document is more than one year old it
should be shredded if it is not able to be returned.
If the original
document does not appear on the above list and was not issued by one of the
agencies listed above, contact the issuing agency to ask for their return
procedure or directions for destroying the document(s).
At the end of the
thirty (30) day period, destroy the document(s) according to the issuing
agency’s instructions including DHS/OHA policy.
Contact the DHS/OHA
Information Security and Privacy Office at dhs.privacyhelp@state.or.us or call 503-945-5780 with questions.
D. Address Confidentiality Program (ACP)
The Address Confidentiality Program (ACP) is administered through the Oregon Department of Justice (DOJ) and provides a substitute mailing address and mail forwarding service for ACP participants who are victims of domestic violence, stalking, and human trafficking who have qualified for participation in the program.
See
the ACP procedure guide on the DV staff tools webpage under Desktools then Procedures.
Staff
should be aware:
·
An
additional five (5) days should be allowed for sending notices requiring ten
(10) days or less for service;
·
For
managed care enrollment, an out-of-area enrollment exception needs to be
requested.
People selected for the ACP have completed safety planning with a local domestic violence service provider or district attorney based victims' assistance program. For further information about the program, access the Oregon Department of Justice ACP webpage.
To apply for the program, the consumer should be referred to the local domestic violence and sexual assault service provider or the local crime victims' assistance program through the district attorney. The victim will work with an application assistant who can help them decide if the program is appropriate for them.
Other
ways to protect information in domestic violence cases: There are several
options available victims may use to protect their address from being used in
public records including voter's registration, driver's license, and court
proceedings.
·
Refer
consumers to the individual agencies to learn more information or to the local
domestic violence service provider who may help the consumer plan around these
options.
·
Legal
aid has information about confidentiality protections for victims of domestic
violence, sexual assault and stalking on their Web page at http://www.oregonlawhelp.org/.
For information on passwords and password
security, please review the Information Security and Privacy Office (ISPO)
intranet page specific to passwords.
It is the
responsibility of all authorized users to protect confidential consumer data in
all forms including electronic, written documents, reports, and verbal. This protection includes maintaining password secrecy, not sharing
terminal access with others, and taking a pro-active approach in the protection
of consumer data and confidentiality.
Each worker’s
password identifies the work and actions completed by that employee. Passwords
keep consumer information secure and prevents unauthorized access.
Staff are responsible for information entered and
payments issued using their system access ID and password.
A strong password is the first step to securing confidential information.
A strong password should:
·
Include numbers, letters, and special characters;
·
Not contain dictionary words;
·
Not contain any personally identifiable information;
·
Be meaningful to only the worker;
·
Be kept secret;
·
Change every 60 days.
ISPO recommends choosing a phrase and using the initial letters and
numbers: I love my 37 black cats! Becomes ILM37BC!
·
Do not
write passwords down or leave them where they can be
found. This includes entering passwords into RACF or Oregon ACCESS (OA) while
others can watch keystrokes. Each employee is responsible for all actions taken
under their own password.
·
Do not lend
passwords to someone who has forgotten
their own or who needs temporary access to data. Each person must access data
through their own password, even if it is issued and revoked the same day.
·
Do not
share passwords. This includes situations where
staff may job share, temporarily help someone, or where there are only two
people in a remote office. Each person must obtain and use their own login and
private password.
·
Do not auto
store. An automatic sign on processes
that eliminates the need to enter your password also eliminates the security
provided by a password requirement. Quick-keys, macros, or other methods to
store passwords are considered a violation of security.
Note: Do not leave
your terminal/PC unattended when it is logged into Oregon ACCESS, the DHS Mainframe,
or TRACS. Log off when you leave for breaks, lunch, meetings, or any other
reason.
DHS systems require a new password every sixty
days. Additionally passwords must be changed whenever password secrecy may have
been compromised. After five attempts to use an invalid password on the
mainframe, or if it is forgotten, staff must request reinstatement through the
local sub-administrator or the DHS Service Desk, if the
sub-administrator is unavailable.
3. Changing
passwords in DHS data systems
Each DHS data collection system, such as Oregon ACCESS, DHR/DHS
Mainframe, TRACS, MMIS, and ONE has a unique method of changing or updating a
password. Please see the individual systems for details.
The older systems which communicate with each other - Oregon ACCESS,
DHR/DHS Mainframe, and TRACS – must have the same password to share data. When
changing the password in one, be sure to change it in the other two.
·
DHS General Privacy: DHS 100-001
·
Privacy and Information Security Management: DHS-090-005
·
Information Security and Privacy Office (ISPO)