Questions and Answers Reference Guide
1. A privacy incident is: the suspected or confirmed loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where: a person other than an authorized user accesses or potentially accesses PII; or an authorized user accesses or potentially accesses PII for an unauthorized purpose.
True
2. Indicate which of the following are examples of PII:
• A leave request with name, last 4 of SSN, and medical info
• An employee roster with home address and phone number
• A supervisor's list of employee performance ratings
• A witness protection list
• A worker's compensation form with name and medical info
3. If someone within DHS asks you for PII in digital or hard copy format, what should you do first?
Verify the requestor's "need to know" before sharing
4. Who is responsible for protecting PII?
All of the above (Component Privacy Officers, Supervisors, and Contractors)
5. Personally-owned equipment can be used to access or store PII for official purposes.
False
6. If you maintain PII in hard copy or electronically, use safeguards and technical access controls to restrict access to staff with an official "need to know."
True
7. Privacy Act protected information can be shared outside of DHS only when specifically authorized.
True
8. Never email another individual's PII to or from your personal email account.
True
9. You may only email Sensitive PII from DHS to an external email within an encrypted or password-protected attachment.
True