Develop and implement written procedures to:
- Periodically test the effectiveness of the rules for its data loss prevention tool and revise those rules when needed.
- Configure the Agency's data loss prevention tool to prevent the loss of other types of personally identifiable information (such as home addresses and dates of birth), in addition to Social Security numbers.
- Manage data loss prevention activities, including when staff should be notified of their violations.
Revise "Information Technology (IT) Security Training-Policy, Standards, Guidelines, and Plan" to document and implement a process for:
- Providing role-based privacy training to staff that are responsible for processing personally identifiable information.
- Providing role-based privacy training to staff at least annually.
- Training staff on how to identify new privacy risks and retention schedules for personally identifiable information as required in the role-based privacy training materials.
Update and implement the Agency's Social Security number reduction plan.
Update and implement the Agency's "System of Records Notices Standard Operating Procedure" to:
- Align with current requirements for reviewing and updating Agency system of record notices.
- Document decisions that system changes were not significant and, thus, related system of record notices do not need to be updated.
In addition, update the following system of record notices with the missing or incomplete elements identified in Appendix B of this document, as required by Office of Management and Budget Circular A-108:
- Personnel Security and Suitability investigations records;
- Google Apps;
- Personal Services Contract records;
- Congressional relations, inquiries, and travel records; and
- Litigation records.
Develop and implement a plan to maintain a complete, accurate inventory of the Agency's third-party websites-including periodic reminders to staff that implementing partners should notify the Agency when creating or deactivating public-facing, third-party websites-and take action, where needed, to post privacy notices on websites that collect personally identifiable information.