Read the Privacy Office’s First newsletter
Greetings from the Privacy Office
Welcome to the Privacy Office’s first newsletter!
Who are we?
NYCHA’s Privacy Office was established to ensure the Authority meets its ongoing responsibility to safeguard and properly handle personally identifiable information (“PII”). The Privacy Office is the focal point for NYCHA’s privacy compliance-related activities and partners with all of NYCHA’s business units to ensure NYCHA meets all privacy obligations.
This year marked two significant changes for the Privacy Office. Metom Bergman joined the office as NYCHA’s new Chief Privacy Officer (“CPO”) with the core responsibility to develop and implement a comprehensive privacy program at NYCHA. In addition, the Privacy Office became a new member of NYCHA’s Compliance Department. This department was created as part of the January 31, 2019 Agreement between NYCHA, the U.S. Department of Housing and Urban Development (HUD), and the U.S. Attorney’s Office for the Southern District of New York. With this move, the Privacy Office is now part of NYCHA’s growing practice area focused on compliance-related operations.
For more information about the Privacy Office, please visit the Privacy Office’s website.
What Is NYCHA’s Privacy Policy?
Successful privacy compliance requires that all NYCHA personnel become familiar with, and understand, Standard Procedure 002:12:1 – NYCHA Privacy Policy (“NYCHA’s Privacy Policy”). NYCHA’s Privacy Policy provides NYCHA personnel with instructions regarding the handling, safeguarding, and disclosure of PII.
An assessment by the CPO has determined that it is common for NYCHA personnel to demonstrate an awareness of NYCHA’s Privacy Policy but misunderstand key obligations established by the policy.
Please review NYCHA’s Privacy Policy in full. Below, the CPO has explained four key requirements of NYCHA’s Privacy Policy to assist staff understand their privacy obligations.
- Need to Know Disclosures:
NYCHA personnel must only share PII with those personnel who have a need to know the information for purposes of their work. A common way this principle is violated is when PII is internally circulated to an impermissibly broad audience through email. Before internally sending PII, NYCHA staff must consider whether all recipients require the information to complete the intended business purpose. NYCHA staff should never release sensitive PII to other employees unless they are sure that the release is authorized, proper and necessary.
- Minimum Necessary Collection:
NYCHA must collect PII, including sensitive PII, from clients, staff, and third parties, for many legitimate business purposes. However, NYCHA personnel must only collect the minimum necessary PII to complete the intended business purpose. Staff must be familiar with, and follow, the relevant rules and regulations by which they collect PII to ensure NYCHA collects only the minimum necessary PII.
- Use Limitation:
NYCHA staff must only use PII for the business purpose for which it was collected and must never access or use PII for personal reasons.
- Safeguarding PII:
NYCHA must implement appropriate administrative, technical, and physical safeguards to protect the confidentiality of PII (in either electronic or physical form). NYCHA’s IT systems incorporate many technical safeguards that protect PII. To ensure electronic PII is protected, NYCHA staff must store, process, and/or transmit electronic PII exclusively through NYCHA-approved IT systems. PII must never exist on personal devices or personal e-mail accounts. Similarly, PII must never be transmitted outside of NYCHA or NYCHA’s systems,
including NYCHA’s Virtual Private Network (VPN), or to any portable storage device (such as a USB flash memory drive), unless advance written approval is granted by a Department/Office Director. For further information on NYCHA’s acceptable use policies concerning portable storage devices or portable data devices (e.g. laptops and cellphones) please see Portable Data Device Issuance, Acceptable Use and Security – SP 003:11:1.
What is Personally Identifiable Information?PII is any information which can be used to distinguish or trace an individual’s identity alone (“Direct PII”) or when combined with other personal or identifying information which is linked or linkable to a specific individual (“Indirect PII”). PII that, if disclosed, may substantially harm an individual is considered “sensitive PII.” Direct PII: Direct PII is any information that, alone, can be used to identify an individual. Examples include an individual’s full name, social security number, driver’s license number, or passport number. Indirect PII: Indirect PII is any information that exists in combination with other information that would allow an individual to be identified. An example is a document that contains an individual’s date of birth, place of birth, and mother’s maiden name. Each piece of information, alone, does not identify the individual. However, when all three data elements are combined the individual can be identified. Sensitive PII: Sensitive PII is any PII that when lost, compromised, or disclosed without authorization could substantially harm an individual. Examples of sensitive PII include social security or driver license numbers, medical records, and financial account numbers such as credit or debit card numbers. |
NYCHA staff must always consult with NYCHA’s Law Department for further instructions before releasing any PII to non-NYCHA personnel or entities (including government agencies or researchers).
Be careful to avoid unintentional disclosure of sensitive PII. Make it a regular habit to not leave sensitive PII displayed on your computer screen when unattended. Avoid leaving voicemails containing sensitive PII or discussing sensitive PII if there are unauthorized staff or guests who may overhear you. And treat documents as if they contain sensitive PII when you are not sure.
Reporting a Privacy IncidentA privacy incident is any violation of a privacy law, principle, or policy and includes any situation where PII, whether physical or electronic, is disclosed to, or can be accessed by, an individual who is not authorized to access the information or when PII is used for an unauthorized purpose. All NYCHA staff and contractors must report any suspected or confirmed privacy incidents to a supervisor. The supervisor must then report the incident to the Chief Privacy Officer via email to privacy@nycha.nyc.gov. Any questions regarding privacy matters may be submitted to NYCHA’s Privacy Office via email to privacy@nycha.nyc.gov. |
Conclusion
The Privacy Office will continue working with our colleagues to ensure that NYCHA management and staff understand their obligations as they relate to protecting the confidentiality of PII. Any questions concerning how to handle PII can be sent directly to the Privacy Office at privacy@nycha.nyc.gov.
90 Church Street
New York, NY 10007
privacy@nycha.nyc.gov
For more information, please visit the Privacy Office’s website.