Approach to Data Privacy
Led by our Chief Privacy Officer (CPO), the Global Privacy Office promotes a culture that values privacy by focusing on five main pillars:
- Training and Communications
- Legal/Regulatory Compliance
We know that improperly handling personal information can have serious consequences for our employees, our company, our investors and our customers. Thus, data privacy is integral to our Code of Conduct and employee training programs.
As stated in our Code of Conduct, keeping data secure is a key part of demonstrating the commitment of Leidos to its customers and to each other. Leidos policies and procedures include specific privacy and data security measures for "Protection Required Data" (PRD) when appropriate, including access controls, encryption and de-identification. PRD must be marked using distinct labels. Those labels include: Proprietary Information, Export-Controlled Information, Personal Information, Third-Party Protected Information and Controlled Unclassified Information (CUI). The privacy and data security measures are appropriate for various PRD levels based on contractual, legal and regulatory requirements.
Annual cybersecurity/data privacy, HIPAA, and general data privacy awareness training is also required of employees when relevant to their job functions. The Global Privacy Office also creates tailored training presentations related to specific subject areas such as the Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). For example, annual HIPAA training is required for all employees who handle Protected Health Information related to U.S. residents. Likewise, our Code of Conduct includes sections devoted to data privacy awareness and related employee obligations.
The Global Privacy Office has also designed and manages a robust Intranet site for Leidos employees, which includes a Data Privacy Best Practices Toolkit, a link to its customized privacy management system and numerous other data privacy-related resources.
Finally, the Global Privacy Office has also been integrating Privacy by Design into our business operations, since protecting personal information is a commitment we make to our customers. It is an essential part of doing business. Privacy by Design is a framework based on proactively embedding privacy into the design and operation of IT systems, networked infrastructure, and business practices. As an example of Privacy by Design, the Global Privacy Office has created questionnaires and processes for identifying customer programs which involve the handling of personal information. The Global Privacy Office works closely with designated Points of Contact and Privacy Champions to integrate data privacy protection into program execution. These are just a few of the ways in which the Global Privacy Office has implemented - and continues to implement - Privacy by Design.
The Leidos Board of Directors’ Technology & Information Security Committee provides oversight of matters involving the Company’s overall strategic direction and associated exposure to, as well as management of, significant business risks in the areas of technology, information, and operational security.
Leidos has also formed a Data Governance Steering Committee (DGSC). The mission of the DGSC is to align Leidos data management goals, standards, practices and processes with its business goals and strategies, all while reducing the risk of misuse, misappropriation, loss, theft or unauthorized access to various types of data.
The DGSC is co-chaired by the Chief Privacy Officer (CPO) and Chief Information Officer (CIO) and includes members from several corporate functions, such as Corporate Security, Information Technology, Legal, International Regulatory Compliance, Program Execution, Human Resources, Finance, Contracts, and Corporate Communications, as well as from business teams and non-U.S. entities. It meets monthly to evaluate various aspects of data governance, including data ownership, classification, risk, quality, security, privacy, mapping, retention, unification, access and measurement. Its co-chairs and members serve as proponents of data governance at Leidos.
In addition, the DGSC has spun off several Working Groups, including a Records Retention Working Group, Data Classification Working Group, Data Privacy Working Group and Cyber Regulatory Working Group.
Audit and Risk Assessments
As outlined in our approach to cybersecurity, to further validate our externally-validated standards, Leidos Internal Audit has developed an Information Technology Risk Assessment Framework (IT-RAF) and a Cybersecurity Risk Assessment Framework (CS-RAF). Both of these frameworks are based on Industry Standard Frameworks (e.g., NIST 800-171) and identify various domains under broader categories, further details of which can be found within the Cybersecurity page of our Trust Center.
In addition, the Global Privacy Office has configured and implemented a software system to administer various types of data mapping questionnaires and Privacy Impact Assessments, as well as to process Subject Access Requests from individuals.
Preparedness and Incident Response
Leidos has an enterprise-wide Incident Response Plan and associated procedures which address how cybersecurity incidents and data spills are to be handled. These documents designate incident response teams, how to investigate and remediate cybersecurity incidents and data spills, and escalation paths for key stakeholder communications.
Linked here are additional resources that further identify our approach and policies related to data privacy and governance.