VIII. Privacy and security

04/16/2020

All DHS staff, volunteers, and partners share an obligation to safeguard all confidential information about individuals with whom they come into contact including consumers, participants, and licensees or providers.

APD and its partners are committed to both respecting and protecting the privacy and records of the people who request or receive services and benefits.

Note: Employees and partners should be up to date on mandatory privacy and security training.

A. Reporting a privacy or security incident

An incident is an unplanned, unusual, and unwanted action or adverse event that happened as a result of non-compliance with agency policies and procedures.

A security or privacy incident is any event that may potentially affect the confidentiality, integrity or availability of DHS/OHA information in any format – verbal, paper or electronic (data, voice, video, image, etc.).

• Privacy incident – Accidental or unauthorized acquisition, use or disclosure of confidential, personally-identifiable (PI) or protected health information (PHI).
• Security incident – Attempted or successful unauthorized access, use, disclosure, modification or destruction of information, or interference with system operations in an information system. 

 

Examples may include:

• Sending an email, hard copy mail, or fax to the incorrect person or address;
• Loss of paper file, or equipment (laptop, tablet, smartphone) with unencrypted confidential data;
• Posting restricted information to a public website;
• Forgetting or leaving protected information in a public location;
• Leaving a computer unlocked and unattended so anyone can see protected information.
• Corrupting IT equipment, systems, or networks by accidentally downloading a virus, malware, or other malicious software.

Report any incident, even ones occurring by accident, immediately. The Information Security and Privacy Office (ISPO) understands accidental violations will occur and are able to assist in resolving the situation before it can escalate.

Report the incident immediately. You can report to your supervisor or directly to ISPO by phone, email, or fax:

ISPO
Phone: 503-945-5780
Email: Dhs.privacyhelp@state.or.us
Fax: 503-947-5396

You can also access the ISPO’s Privacy or Security Issue intranet page at https://dhsoha.sharepoint.com/teams/Hub-SS-OIS/SitePages/Privacy-Security.aspx. This page offers guidance on reporting privacy or security incidents, including links to reporting forms and policies.

If the incident involves a lost device, also report is to the OIS Service Desk, 503-945-5623 or OIS.ServiceDesk@dhsoha.state.or.us.

When reporting privacy or security incidents to ISPO, please also report the incident to Frank Miles, DHS Security and Privacy Services Manager, by email at frank.t.miles@dhsoha.state.or.us or phone at (503) 507-7851.

For more information on what is involved with reporting a privacy or security incident, please see the ISPO intranet website.

B. Secure email

For information on sending and retrieving secure email, please see the Secure Email intranet website.

C. Original documents left by consumers

Occasionally, staff find original documents left by consumers on copiers or in interview rooms after the consumer has left the office making it impossible to hand the document back to them.

If the office finds original consumer documents, the first step is to contact the consumer to return the documents and avoid the potential hardship of replacement costs; see below.

When attempts to contact the consumer have failed, some state and federal agencies require staff to return original identity documents to the originating agency by mail.

The best practice is to help the consumer avoid leaving their documents in the first place by asking if they have everything and looking for documents before the consumer leaves.

 

1. Dealing with unclaimed documents

The local office should keep a log of each original document belonging to a consumer and the date left or found.

Contact the consumer immediately by phone, email, or other preferred method, to ask them to pick up the document(s).

Consumers who are unable to pick up original documents themselves may have a previously authorized person pick up documents for them or ask to have them mailed.

• Documents may be returned by mail ONLY if:
• Staff verified the consumer’s address at the time of the request; and
• Documents are sent by registered U.S. mail or other trackable delivery service.

If there is no response from the consumer after thirty (30) days from the last attempt, return the document to the appropriate government agency at the address listed below or follow the directions under Other documents.

Note in the log each attempt to contact the consumer to return the documents. Make at least two attempts, on separate days, to contact the consumer.

 

2. Addresses for common documents left behind

Social Security cards
Social Security Administration
P.O. Box 33008
Baltimore, MD 21290-3008

Military documents
U.S. Department of Veteran’s Affairs
Attn: Found Documents
100 SW Main St., FL2
Portland, OR 97204

U.S. passports
U.S. Department of State
Consular Lost/Stolen Passport Section
1111 19th St. NW, Suite 500
Washington, DC 20036

Oregon driver licenses and identification cards
Oregon DMV
1905 Lana Ave NE
Salem, OR 97314

Oregon birth certificates
Oregon Vital Records
800 NE Oregon St., Suite 225
Portland, OR 97232-2162

Note: Only send documents issued within the last year to Oregon Vital Records; shred unreturnable documents more than one year old.

 

3. Other documents

If the original document does not appear on the above list and was not issued by one of the agencies listed above, contact the issuing agency to ask for their return procedure or directions for destroying the document(s).

At the end of the thirty (30) day period, destroy the document(s) according to the issuing agency’s instructions including DHS/OHA policy.

Contact the DHS/OHA Information Security and Privacy Office at dhs.privacyhelp@state.or.us or call 503-945-5780 with questions.

D. Address Confidentiality Program (ACP)

The Address Confidentiality Program (ACP) is administered through the Oregon Department of Justice (DOJ) and provides a substitute mailing address and mail forwarding service for ACP participants who are victims of domestic violence, stalking, and human trafficking who have qualified for participation in the program.

See the ACP procedure guide on the DV staff tools webpage under Desktools then Working with survivors.

Staff should be aware:

• Allow five (5) extra days for sending notices which require ten (10) days or less for service;
• Request an out-of-area enrollment exception for managed care enrollment.

People selected for the ACP have completed safety planning with a local domestic violence service provider or district attorney-based victims' assistance program. For further information about the program, access the Oregon Department of Justice ACP webpage.

To apply for the program, refer the consumer to the local domestic violence and sexual assault service provider or the local crime victims' assistance program through the district attorney. The victim will work with an application assistant who can help them decide if the program is appropriate for them.

Other ways to protect information in domestic violence cases: There are several options available victims may use to protect their address from appearing in public records including voter's registration, driver's license, and court proceedings.

• Refer consumers to the individual agencies to learn more information or to the local domestic violence service provider who may help the consumer plan around these options.
• Legal aid has information about confidentiality protections for victims of domestic violence, sexual assault and stalking on their website at http://www.oregonlawhelp.org/.

 

E. Passwords

For information on passwords and password security, please review the Information Security and Privacy Office (ISPO) intranet page specific to passwords.

It is the responsibility of all authorized users to protect confidential consumer data in all forms including electronic, written documents, reports, and verbal. This protection includes maintaining password secrecy, not sharing terminal access with others, and taking a pro-active approach in the protection of consumer data and confidentiality.

Each worker’s password identifies the work and actions completed by that employee. Passwords keep consumer information secure and prevents unauthorized access.

Staff are responsible for information entered and payments issued using their system access ID and password.

1. Password guidelines

A strong password is the first step to securing confidential information. A strong password should:

• Include numbers, letters, and special characters;
• Contain at least 10 characters;
• Not contain dictionary words;
• Not contain any personally identifiable information;
• Be meaningful to only the worker;
• Be kept secret;
• Change every 60 days.

ISPO recommends choosing a phrase and using the initial letters and numbers: I love my 37 black cats! Becomes ILM37BC!

 

2. Tips for staff

• Do not write passwords down or leave them where they can be found. This includes entering passwords into RACF or Oregon ACCESS (OA) while others can watch keystrokes. Each employee is responsible for all actions taken under their own password.
• Do not lend passwords to someone who has forgotten their own or who needs temporary access to data. Each person must access data through their own password, even if it is issued and revoked the same day.
• Do not share passwords. This includes situations where staff may job share, temporarily help someone, or where there are only two people in a remote office. Each person must obtain and use their own login and private password.
• Do not auto store passwords. An automatic sign on processes eliminating the need to enter your password also eliminates the security provided by a password requirement. Quick-keys, macros, or other methods to store passwords are considered a violation of security.

Note: Do not leave your terminal/PC unattended logged into Oregon ACCESS, the DHS Mainframe, or TRACS. Log off when you leave for breaks, lunch, meetings, or any other reason.

DHS systems require new passwords every sixty (60) days. Additionally, change passwords whenever password secrecy is compromised. After five attempts to use an invalid password on the mainframe, or if it is forgotten, staff must request reinstatement through the local sub-administrator or the DHS Service Desk, if the sub-administrator is unavailable.

Staff can also set up a personal profile through the myPassword application. Once set up the myPassword application allows staff to reset their own password when locked out of their account.

3. Changing passwords in DHS data systems

Each DHS data collection system, such as Oregon ACCESS, DHR/DHS Mainframe, TRACS, MMIS, and ONE has a unique method of changing or updating a password. Please see the individual systems for details.

The older systems which communicate with each other - Oregon ACCESS, DHR/DHS Mainframe, and TRACS – must have the same password to share data. When changing the password in one, be sure to change it in the other two.

F. Resources

• Information Security and Privacy Office (ISPO);
• Uses and Disclosures of Individual Information: DHS 100-103;
• Minimum Necessary Standard for Releasing Personally Identifiable Information: DHS 100-104;
• Managing Passwords Process: DHS|OHA 090-003-04;
• Information Security Incident Management Policy: DHS|OHA 090-005;
• Information Security Incident Reporting Process: DHS|OHA 090-005-01;
• Enforcement, Sanctions & Penalties for Violations of Individual Privacy: DHS 100-109.