VIII. Privacy and security


All DHS staff, volunteers, and partners share an obligation to safeguard all confidential information about individuals with whom they come into contact including consumers, participants, and licensees or providers.

APD and its partners are committed to both respecting and protecting the privacy and records of the people who request or receive services and benefits.

Note: Employees and partners should be up to date on mandatory privacy and security training.

A. Reporting a privacy or security incident

An incident is an unplanned, unusual, and unwanted action or adverse event that happened as a result of non-compliance with agency policies and procedures.

A security or privacy incident is any event that may potentially affect the confidentiality, integrity or availability of DHS/OHA information in any format – verbal, paper or electronic (data, voice, video, image, etc.).


Examples may include:

Report any incident, even ones occurring by accident, immediately. The Information Security and Privacy Office (ISPO) understands accidental violations will occur and are able to assist in resolving the situation before it can escalate.

Report the incident immediately. You can report to your supervisor or directly to ISPO by phone, email, or fax:

Phone: 503-945-5780
Fax: 503-947-5396

You can also access the ISPO’s Privacy or Security Issue intranet page at This page offers guidance on reporting privacy or security incidents, including links to reporting forms and policies.

If the incident involves a lost device, also report is to the OIS Service Desk, 503-945-5623 or

When reporting privacy or security incidents to ISPO, please also report the incident to Frank Miles, DHS Security and Privacy Services Manager, by email at or phone at (503) 507-7851.

For more information on what is involved with reporting a privacy or security incident, please see the ISPO intranet website.

B. Secure email

For information on sending and retrieving secure email, please see the Secure Email intranet website.

C. Original documents left by consumers

Occasionally, staff find original documents left by consumers on copiers or in interview rooms after the consumer has left the office making it impossible to hand the document back to them.

If the office finds original consumer documents, the first step is to contact the consumer to return the documents and avoid the potential hardship of replacement costs; see below.

When attempts to contact the consumer have failed, some state and federal agencies require staff to return original identity documents to the originating agency by mail.

The best practice is to help the consumer avoid leaving their documents in the first place by asking if they have everything and looking for documents before the consumer leaves.


1. Dealing with unclaimed documents

The local office should keep a log of each original document belonging to a consumer and the date left or found.

Contact the consumer immediately by phone, email, or other preferred method, to ask them to pick up the document(s).

Consumers who are unable to pick up original documents themselves may have a previously authorized person pick up documents for them or ask to have them mailed.

If there is no response from the consumer after thirty (30) days from the last attempt, return the document to the appropriate government agency at the address listed below or follow the directions under Other documents.

Note in the log each attempt to contact the consumer to return the documents. Make at least two attempts, on separate days, to contact the consumer.


2. Addresses for common documents left behind

Social Security cards
Social Security Administration
P.O. Box 33008
Baltimore, MD 21290-3008

Military documents
U.S. Department of Veteran’s Affairs
Attn: Found Documents
100 SW Main St., FL2
Portland, OR 97204

U.S. passports
U.S. Department of State
Consular Lost/Stolen Passport Section
1111 19th St. NW, Suite 500
Washington, DC 20036

Oregon driver licenses and identification cards
Oregon DMV
1905 Lana Ave NE
Salem, OR 97314

Oregon birth certificates
Oregon Vital Records
800 NE Oregon St., Suite 225
Portland, OR 97232-2162

Note: Only send documents issued within the last year to Oregon Vital Records; shred unreturnable documents more than one year old.


3. Other documents

If the original document does not appear on the above list and was not issued by one of the agencies listed above, contact the issuing agency to ask for their return procedure or directions for destroying the document(s).

At the end of the thirty (30) day period, destroy the document(s) according to the issuing agency’s instructions including DHS/OHA policy.

Contact the DHS/OHA Information Security and Privacy Office at or call 503-945-5780 with questions.

D. Address Confidentiality Program (ACP)

The Address Confidentiality Program (ACP) is administered through the Oregon Department of Justice (DOJ) and provides a substitute mailing address and mail forwarding service for ACP participants who are victims of domestic violence, stalking, and human trafficking who have qualified for participation in the program.

See the ACP procedure guide on the DV staff tools webpage under Desktools then Working with survivors.

Staff should be aware:

People selected for the ACP have completed safety planning with a local domestic violence service provider or district attorney-based victims' assistance program. For further information about the program, access the Oregon Department of Justice ACP webpage.

To apply for the program, refer the consumer to the local domestic violence and sexual assault service provider or the local crime victims' assistance program through the district attorney. The victim will work with an application assistant who can help them decide if the program is appropriate for them.

Other ways to protect information in domestic violence cases: There are several options available victims may use to protect their address from appearing in public records including voter's registration, driver's license, and court proceedings.


E. Passwords

For information on passwords and password security, please review the Information Security and Privacy Office (ISPO) intranet page specific to passwords.

It is the responsibility of all authorized users to protect confidential consumer data in all forms including electronic, written documents, reports, and verbal. This protection includes maintaining password secrecy, not sharing terminal access with others, and taking a pro-active approach in the protection of consumer data and confidentiality.

Each worker’s password identifies the work and actions completed by that employee. Passwords keep consumer information secure and prevents unauthorized access.

Staff are responsible for information entered and payments issued using their system access ID and password.

1. Password guidelines

A strong password is the first step to securing confidential information. A strong password should:

ISPO recommends choosing a phrase and using the initial letters and numbers: I love my 37 black cats! Becomes ILM37BC!


2. Tips for staff

Note: Do not leave your terminal/PC unattended logged into Oregon ACCESS, the DHS Mainframe, or TRACS. Log off when you leave for breaks, lunch, meetings, or any other reason.

DHS systems require new passwords every sixty (60) days. Additionally, change passwords whenever password secrecy is compromised. After five attempts to use an invalid password on the mainframe, or if it is forgotten, staff must request reinstatement through the local sub-administrator or the DHS Service Desk, if the sub-administrator is unavailable.

Staff can also set up a personal profile through the myPassword application. Once set up the myPassword application allows staff to reset their own password when locked out of their account.

3. Changing passwords in DHS data systems

Each DHS data collection system, such as Oregon ACCESS, DHR/DHS Mainframe, TRACS, MMIS, and ONE has a unique method of changing or updating a password. Please see the individual systems for details.

The older systems which communicate with each other - Oregon ACCESS, DHR/DHS Mainframe, and TRACS – must have the same password to share data. When changing the password in one, be sure to change it in the other two.

F. Resources