General

Q: What is the difference between privacy and security?

A: Privacy determines what information needs to be protected, to what extent it needs to be protected, and from whom it needs to be protected. Information security (InfoSec) is a mechanism to implement protections.

Privacy encompasses the analysis of policy and business processes to ensure the legal and ethical obligations of an organization are upheld when the organization collects, stores, uses and/or discloses sensitive information. This includes informing the public of the organization’s information practices; providing information on opportunities to choose whether personal information will be shared and of options to restrict access to sensitive information; and assessing risks associated with the unauthorized access to, or loss of, sensitive information.

InfoSec refers to the processes and methodologies that are designed and implemented to protect print, electronic or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification or disruption.

Q: Why is privacy important?

A:  When privacy safeguards are not established and/or enforced, the risk of unauthorized use or access increases. Unauthorized access or use of personal information may lead to financial harm, the release of personally embarrassing information, or the misuse of health care benefits (medical identity theft).

Q: What is data classification, and how will it advance agency privacy programs?

A: Data classification is an important step in setting up your privacy program. It involves identifying the data that your agency holds and/or uses and then categorizing the data based on its sensitivity level. Once you have classified your data, you will have a better understanding of the risks and how to reduce those risks, such as through information technology security protections or employee training. We have developed the Data Classifcation Schema and Guidelines, a quick guide to the most common data classification circumstances and examples, available on our Policy and Guidance page.  

Q: Isn’t privacy just something for my agency’s information technology (IT) department to worry about?

A: No, privacy is everyone’s responsibility. In addition, data can be in both electronic and paper form. As part of an agency’s normal business processes, most employees will have access to some data. For example, any document that contains a person’s name and other identifying information could be a document that needs to be handled with special protections. For this reason, it is the responsibility of everyone at your agency to work together to protect individuals’ privacy.

Q: As an agency’s privacy liaison, what is a good way to get our privacy program started?

A: First, providing privacy training to agency staff is one of the most important components of all privacy programs. Privacy is the responsibility of everyone at the agency because any employee could have access to sensitive data. As privacy liaison, you want to make sure your staff knows how to handle and manage data during the performance of their job duties. For example, if employees access or use sensitive information during their workday, they should be instructed to always lock their workstation computer when away from their office. If someone finds a document left in a common area of the office, or receives an email by mistake, they should know the appropriate procedures for reporting the incident, returning the information to the data owner, disposing of the information appropriately, and/or informing their supervisor (or you, as the privacy liaison).

Second, complete your data classification. Go to our Policy and Guidance page for further information.

Third, conduct privacy impact assessments on high risk business processes using the template and guidance found on our Policy and Guidance page.

And fourth, ensure EPO has been notified that you are your agency’s privacy liaison. Send us an email at privacy.office@admin.sc.gov.

EPO will be providing resources on this website and hosting events for agency privacy liaisons. Check our calendar page frequently. Until then, take a look at our Events and Training, and contact us any time to discuss more.

Q: How can agency privacy liaisons find out more information?

A: Agency privacy liaisons have come to the right place! On our website, we have Resources with links to laws and regulator websites; we have sections with Privacy Principles and Policy and Guidance for you to implement at your agency; above all, please contact us at privacy.office@admin.sc.gov to discuss any questions you may have.

Q: I do not work for the government, but I want to learn more about privacy issues. Where can I get more information about protecting my personal information?

A: The South Carolina Department of Consumer Affairs (SCDCA) is the agency that provides South Carolinians with information and resources on consumer privacy.  You can reach the SCDCA website at http://www.consumer.sc.gov/Pages/default.aspx.

 

Statewide privacy services vendor contract

Q: How can state and local government entities get assistance in meeting privacy requirements?

A: To support state and local government entities in meeting the accelerating demand for information security and privacy services, the South Carolina Department of Administration’s (Admin) Division of Information Security (DIS) and Enterprise Privacy Office (EPO) issued the Information Security and Privacy Services (ISPS) statewide term contract. 

This turnkey solution offers a completed solicitation process, which saves time and allows direct contact with pre-vetted vendors. Using Governmental Units are responsible for issuing a purchase order and approving payment for the services.

Q: Who can use these services?

A: The state contract may be used by the following government units, referred to as “Using Governmental Units (UGUs)”:

A state government department, commission, council, board, bureau, committee, institution, college, university, technical school, agency, government corporation or other establishment or official of the executive or judicial branch. Governmental body excludes the General Assembly or its respective branches or its committees, Legislative Council, the Legislative Services Agency and all local political subdivisions such as counties, municipalities, school districts or public service or special purpose districts or any entity created by act of the General Assembly for the purpose of erecting monuments or memorials or commissioning art that is being procured exclusively by private funds. 

Q: Which Information Security and Privacy Services (ISPS) contract vendors provide privacy services?

A: Privacy services are available from four vendors awarded under Lot 7 of the Information Security and Privacy Services (ISPS) contract. The four vendors are: 

  • Axiom Resource Management Inc.  
  • Janus Software Inc.
  • Kuma, LLC
  • Navigate, LLC
Q: What privacy services do the Information Security and Privacy Services (ISPS) contract vendors provide?

A: Vendors awarded Lot 7 of the Information Security and Privacy Services (ISPS) contract can provide the following privacy services:

  • Privacy impact assessments
  • Privacy training development and delivery
  • Enterprise privacy communication management
  • Risk assessment assistance specifically related to privacy
  • Assistance in performing data inventory and classification activities
  • Privacy program development and compliance consulting services
  • Privacy incident response management services
Q: How do I take advantage of the Information Security and Privacy Services contract?

A: Review the ISPS vendor contact information and pricing located in the link below: https://procurement.sc.gov/agency/contracts/information-technology (Scroll down to Information Security and Privacy Services, and click Privacy Support Services Lot 7.)

Contact one or more of the listed vendors contracted to provide the service(s) of interest. Provide the vendor(s) with a description of your agency’s needs and requirements, and solicit proposals from the vendor(s).

Upon agreement between the agency and the vendor on the scope of work and cost, finalize arrangement and payment in accordance with your organization’s policies.

Q: Who do I contact with questions about the procurement process?

A: For more information about the procurement process and how to use the Information Security and Privacy Services contract, contact the DIS Vendor Manager at dis.vendor.manager@admin.sc.gov or 803-896-4436.

Q: What if I need help determining the services I need?

A: If you would like advice on which privacy services would most benefit your privacy program, contact your organization’s privacy liaison, or the Department of Administration's (Admin) Enterprise Privacy Office (EPO) at privacy.office@admin.sc.gov.

Q: Since the ISPS contract is a statewide term contract, is it mandated that state and local government entities use the ISPS contract for information security and privacy services?

A: Yes. It is mandatory for all “Using Governmental Units” to procure their requirements from statewide term contracts during its term. Reference § 11-35-310 (35) of the Procurement Code.

Q: What state resources are available in managing vendors on the ISPS contract?

A: The State Procurement Office along with the Division of Information Security's Vendor Manager will be responsible for vendor management, performance, change-orders, modifications to the contract terms and conditions, and vendor disputes.