A: Privacy determines what information needs to be protected, to what extent it needs to be protected, and from whom it needs to be protected. Information security (InfoSec) is a mechanism to implement protections.
Privacy encompasses the analysis of policy and business processes to ensure the legal and ethical obligations of an organization are upheld when the organization collects, stores, uses and/or discloses sensitive information. This includes informing the public of the organization’s information practices; providing information on opportunities to choose whether personal information will be shared and of options to restrict access to sensitive information; and assessing risks associated with the unauthorized access to, or loss of, sensitive information.
InfoSec refers to the processes and methodologies that are designed and implemented to protect print, electronic or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification or disruption.
A: When privacy safeguards are not established and/or enforced, the risk of unauthorized use or access increases. Unauthorized access or use of personal information may lead to financial harm, the release of personally embarrassing information, or the misuse of health care benefits (medical identity theft).
A: Data classification is an important step in setting up your privacy program. It involves identifying the data your agency holds and/or uses and then categorizing the data based on its sensitivity level. Once you have classified your data, you will have a better understanding of the risks and how to reduce those risks, such as through information technology security protections or employee training. We have developed the Data Classification Schema and Guidelines, a quick guide to the most common data classification circumstances and examples, available on the Governance and Resources webpage.
A: No, privacy is everyone’s responsibility. In addition, data can be in both electronic and paper form. As part of an agency’s normal business processes, most employees will have access to some data. For example, any document that contains a person’s name and other identifying information could be a document that needs to be handled with special protections. For this reason, it is the responsibility of everyone at your agency to work together to protect individuals’ privacy.
A: First, providing privacy training to agency staff is one of the most important components of all privacy programs. Privacy is the responsibility of everyone at the agency because any employee could have access to sensitive data. As privacy liaison, you want to make sure your staff knows how to handle and manage data during the performance of their job duties. For example, if employees access or use sensitive information during their workday, they should be instructed to always lock their workstation computer when away from their office. If someone finds a document left in a common area of the office, or receives an email by mistake, they should know the appropriate procedures for reporting the incident, returning the information to the data owner, disposing of the information appropriately and/or informing their supervisor (or you, as the privacy liaison).
Second, complete your data classification. Go to the Governance and Resources webpage for further information.
Third, conduct privacy impact assessments on high risk business processes using the template and guidance found on the Governance and Resources webpage.
EPO will be providing resources on this website and hosting events for agency privacy liaisons. Check our calendar page frequently. Until then, contact us any time to discuss more.
A: Agency privacy liaisons have come to the right place! On our website, we have Resources with links to laws and regulatory websites; we have sections with Privacy Principles and Policy and Guidance for you to implement at your agency; above all, please contact us at email@example.com to discuss any questions you may have.
A:The South Carolina Department of Consumer Affairs (SCDCA) is the agency that provides South Carolinians with information and resources on consumer privacy. You can reach the SCDCA website at https://consumer.sc.gov/.
A: To support state and local government entities in meeting the accelerating demand for information security and privacy services, Admin's Division of Information Security (DIS) and Enterprise Privacy Office (EPO) issued the Information Security and Privacy Services (ISPS) statewide term contract.
This turnkey solution offers a completed solicitation process, which saves time and allows direct contact with pre-vetted vendors. Using Governmental Units are responsible for issuing a purchase order and approving payment for the services.
A: The state contract may be used by the following government units, referred to as “Using Governmental Units (UGUs)”:
A state government department, commission, council, board, bureau, committee, institution, college, university, technical school, agency, government corporation or other establishment or official of the executive or judicial branch. Governmental body excludes the General Assembly or its respective branches or its committees, Legislative Council, the Legislative Services Agency and all local political subdivisions such as counties, municipalities, school districts or public service or special purpose districts or any entity created by act of the General Assembly for the purpose of erecting monuments or memorials or commissioning art that is being procured exclusively by private funds.
A: Privacy services are available from four vendors awarded under Lot 7 of the Information Security and Privacy Services (ISPS) contract. The four vendors are:
Axiom Resource Management Inc.
Janus Software Inc.
A: Vendors awarded Lot 7 of the Information Security and Privacy Services (ISPS) contract can provide the following privacy services:
Privacy impact assessments
Privacy training development and delivery
Enterprise privacy communication management
Risk assessment assistance specifically related to privacy
Assistance in performing data inventory and classification activities
Privacy program development and compliance consulting services
Contact one or more of the listed vendors contracted to provide the service(s) of interest. Provide the vendor(s) with a description of your agency’s needs and requirements, and solicit proposals from the vendor(s).
Upon agreement between the agency and the vendor on the scope of work and cost, finalize arrangement and payment in accordance with your organization’s policies.
A: For more information about the procurement process and how to use the Information Security and Privacy Services contract, contact the DIS Vendor Manager at firstname.lastname@example.org or 803-896-4436.
A: If you would like advice on which privacy services would most benefit your privacy program, contact your organization’s privacy liaison, or Admin's Enterprise Privacy Office (EPO) at email@example.com.
A: Yes. It is mandatory for all “Using Governmental Units” to procure their requirements from statewide term contracts during its term. Reference § 11-35-310 (35) of the Procurement Code.
A: The State Procurement Office along with the Division of Information Security's Vendor Manager will be responsible for vendor management, performance, change-orders, modifications to the contract terms and conditions, and vendor disputes.